From: Andy Bavier Date: Fri, 1 May 2009 20:58:07 +0000 (+0000) Subject: Connection marking for NAT X-Git-Url: http://git.onelab.eu/?p=nodemanager-topo.git;a=commitdiff_plain;h=f9245e44c20a170157d5151083ff70ae1154e34a Connection marking for NAT --- diff --git a/NodeManager-topo.spec b/NodeManager-topo.spec index 8188f9d..f1388f3 100644 --- a/NodeManager-topo.spec +++ b/NodeManager-topo.spec @@ -2,7 +2,7 @@ Name: NodeManager-topo Version: 0.4 -Release: 3 +Release: 4 Summary: Plugin supporting creating a default virtual topology. Group: System Environment/Daemons diff --git a/setup-nat b/setup-nat index bb9053a..2ba9781 100644 --- a/setup-nat +++ b/setup-nat @@ -1,14 +1,10 @@ #!/bin/sh +x -IP=/sbin/ip - SLICE=$1 SLICEID=`id -u $SLICE` NODEID=$2 KEY=$3 -modprobe etun - # # OpenVPN uses addresses in 10./16 block. Avoid collisions with # this block. NAT interface is not advertised and so does not require @@ -28,14 +24,10 @@ ETUN1=natx$KEY ip link add name $ETUN0 type veth peer name $ETUN1 ifconfig $ETUN1 $EXTNET up -/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -/sbin/iptables -A FORWARD -i eth0 -o $ETUN1 -m state --state RELATED,ESTABLISHED -j ACCEPT -/sbin/iptables -A FORWARD -i $ETUN1 -o eth0 -j ACCEPT - ### Put a process in the vserver so we can move the interface there su $SLICE -c "sleep 30 &" PID=`su $SLICE -c "pgrep -n sleep"` -$IP link set $ETUN0 netns $PID +ip link set $ETUN0 netns $PID naddress --add --nid $SLICEID --ip $INTNET sleep 1 @@ -43,3 +35,6 @@ su $SLICE -c "sudo /sbin/ifconfig $ETUN0 $INTNET up; \ sudo /sbin/route add default gw $EXTIP; \ sudo /sbin/ifconfig lo 127.0.0.1/8 up" +ip rule add dev eth0 fwmark $KEY table $KEY +ip route add table $KEY default via $INTIP +iptables -t mangle -A PREROUTING -i $ETUN1 -j CONNMARK --set-mark $KEY diff --git a/teardown-nat b/teardown-nat index c237338..2d09d55 100644 --- a/teardown-nat +++ b/teardown-nat @@ -3,10 +3,9 @@ KEY=$1 ETUN1=natx$KEY -# Remove iptables rules -/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE -/sbin/iptables -D FORWARD -i eth0 -o $ETUN1 -m state --state RELATED,ESTABLISHED -j ACCEPT -/sbin/iptables -D FORWARD -i $ETUN1 -o eth0 -j ACCEPT +iptables -t mangle -D PREROUTING -i $ETUN1 -j CONNMARK --set-mark $KEY + +ip rule del dev eth0 fwmark $KEY table $KEY # Get rid of etun devices, only need name of one of them ip link delete dev $ETUN1