# Options:
# - pointopoint=IP: other endpoint's (private) IP (sets routing)
# - snat=1: enables SNAT ip rules
+# - dropkern=1: drops RST packets generated by the kernel
# - txqueuelen=N: sets TX queue
# - gre=<> : enable GRE tunnelling - several formats supported
# - gre=true|yes|name : computes GRE key as a hash of slice name (so it's valid across federations)
# - gre=somestring : computes GRE key as a hash of the provided string
# - gre=somekey : use the provided key as is
# - remote=IP : when using GRE, the (public) IP for the remote endpoint
+# - mtu=N : set the MTU for the device
import sys
import pwd
opt_txqueuelen = None
opt_rp_filter = None
opt_snat = None
+opt_dropkern = None
opt_ovs_dp = None
opt_pointopoint = None
opt_gre = None
opt_gre_remote = None
-
+opt_mtu = None
for optionline in options:
if len(optionline)==0: continue
intval = int(val)
if val=="1":
opt_snat = True
+ elif opt=="dropkern":
+ intval = int(val)
+ if val=="1":
+ opt_dropkern = True
elif opt=="pointopoint":
opt_pointopoint = val.strip()
try:
except socket.error,e:
print >>sys.stderr, "could not parse remote: %s" % (e,)
sys.exit(1)
+ elif opt=="mtu":
+ intval = int(val)
+ if intval<1:
+ print >>sys.stderr, "MTU value %s out of range" % (val)
+ sys.exit(1)
+ opt_mtu = intval
else:
print >>sys.stderr, "Unknown option: \"%s\"" % (opt)
sys.exit(1)
cmd_ifconfig += " txqueuelen %d" % (opt_txqueuelen,)
if opt_pointopoint is not None:
cmd_ifconfig += " pointopoint %s" % (opt_pointopoint,)
+if opt_mtu is not None:
+ cmd_ifconfig += " mtu %d" % (opt_mtu,)
# Add iptables rules (Clearing old ones first, if they exist)
cmd_iptables_in = "/sbin/iptables -A INPUT -i %s -m mark -m state --state NEW ! --mark %d -j DROP" % (vif, sliceid)
cmd_iptables_pr = "/sbin/iptables -t nat -A POSTROUTING -s %s/%d -j SNAT --to-source %s --random" % (vip, vmask, public_src)
cmd_iptables_del_pr = "/sbin/iptables -t nat -D POSTROUTING -s %s/%d -j SNAT --to-source %s --random > /dev/null 2>&1" % (vip, vmask, public_src)
+cmd_iptables_dk = "/sbin/iptables -I OUTPUT -p tcp -s %s/%d --tcp-flags RST RST -j DROP"%(vip,vmask)
+cmd_iptables_del_dk = "/sbin/iptables -D OUTPUT -p tcp -s %s/%d --tcp-flags RST RST -j DROP > /dev/null 2>&1"%(vip,vmask)
if opt_gre:
cmd_gre_setup = "modprobe ip_gre ; ip link add %s type %s remote %s local %s ttl 64 csum key %s" % (
if (opt_snat):
os.system(cmd_iptables_pr)
+os.system(cmd_iptables_del_dk)
+if (opt_snat):
+ os.system(cmd_iptables_dk)
+
# Process additional options
if opt_rp_filter is not None:
rp_cmd = "/sbin/sysctl net.ipv4.conf.%s.rp_filter=%s" % (vif, opt_rp_filter)