[vsys-scripts.git] / root-context / exec / vif_up

#!/usr/bin/python
# VSYS script to configure per-slice virtual network interfaces from the root slice
#   Thom Haddow - 06/10/09
#
# Gets slice name as argv[1]
# Takes remaining args on stdin:
#   - Interface name (eg [tun|tap]<sliceid>-<n>)
#   - (private) IP address (eg 1.2.3.4)
#   - Netmask (as int, e.g. 24)
#   - Followed by options as name=value pairs
#
# Options:
#   - pointopoint=IP: other endpoint's (private) IP (sets routing)
#   - snat=1: enables SNAT ip rules
#   - dropkern=1: drops RST packets generated by the kernel
#   - txqueuelen=N: sets TX queue
#   - gre=<> : enable GRE tunnelling - several formats supported
#   -   gre=true|yes|name : computes GRE key as a hash of slice name (so it's valid across federations)
#   -   gre=id            : uses for GRE key the slice id (the one from the myplc database)
#   -   gre=somestring    : computes GRE key as a hash of the provided string
#   -   gre=somekey       : use the provided key as is
#   - remote=IP : when using GRE, the (public) IP for the remote endpoint
#   - mtu=N  : set the MTU for the device

import sys
import pwd
import re
import socket
import struct
import os
import string

vsys_config_dir = "/etc/planetlab/vsys-attributes"

if len(sys.argv) != 2: sys.exit(1)

# VSYS scripts get slicename as $1
slicename=sys.argv[1]
# the local xid for this slice
sliceid = pwd.getpwnam(slicename).pw_uid

netblock_config=os.path.join(vsys_config_dir,slicename,"vsys_vnet")

# Read netblock allocation file
base = None

for netblock in open(netblock_config,'r'):
    base, mask = netblock.split('/')

if base is None:
    print >>sys.stderr, "Could not find entry for slice %s in netblock config file %s" % (slicename, netblock_config)
    sys.exit(1)


### Read args from stdin
arglines = map(string.strip, sys.stdin.readlines())

if len(arglines)<3:
    print >>sys.stderr, "Insufficient argument lines."
    sys.exit(1)

vif = arglines[0] # interface name
vip = arglines[1] # IP
vmask = int(arglines[2]) # netmask as int

# Create options list
if len(arglines)>3:
    options = arglines[3:]
else:
    options = []

# Convert network base addr to int format by unpacking as 32bit net-ordered long (!L)
base_int = struct.unpack('!L',socket.inet_aton(base))[0]
mask = int(mask)


### Validate args
# Validate interface name
if len(vif)>16:
    print >>sys.stderr, "Interface name %s invalid"%(vif)
    sys.exit(1)

if re.match(r'(tun|tap)%d-\d+' % sliceid, vif ) is None:
    print >>sys.stderr, "Interface name %s does not match slice id %d."%(vif, sliceid)
    sys.exit(1)



# Validate requested IP and convert to int format.
try:
    vip_int = struct.unpack('!L',socket.inet_aton(vip))[0]
except socket.error:
    print >>sys.stderr, "Invalid IP: %s" % vip
    sys.exit(1)

# Check IP is in netblock
if (vip_int>>(32-mask)) != (base_int>>(32-mask)):
    print >>sys.stderr, "Requested IP %s not in netblock %s/%d" % (vip,base,mask)
    sys.exit(1)

# TODO. Check IP is not in use?

# Validate mask: Check requested mask is sane and within our netblock
if vmask>32 or vmask <8:
    print >>sys.stderr, "Requested netmask /%d is invalid" %(vmask)
    sys.exit(1)
    
if vmask<mask:
    print >>sys.stderr, "Requested netmask /%d larger than allocation /%d" %(vmask, mask)
    sys.exit(1)



### Process options

opt_txqueuelen = None
opt_rp_filter = None
opt_snat = None
opt_dropkern = None
opt_ovs_dp = None
opt_pointopoint = None
opt_gre = None
opt_gre_remote = None
opt_mtu = None

for optionline in options:
    if len(optionline)==0: continue
    try:
        opt, val = optionline.split('=')
    except:
        print >>sys.stderr, "Bad option line: \"%s\"" % (optionline)
        sys.exit(1)

    if opt=="rp_filter":
        if val=="0":
            opt_rp_filter="0"
        elif val=="1":
            opt_rp_filter="1"
        else:
            print >>sys.stderr, "rp_filter value invalid: \"%s\"" % (val)
            sys.exit(1)

    elif opt=="txqueuelen":
        intval = int(val)
        if intval<1 or intval>10000:
            print >>sys.stderr, "txqueuelen value %s out of range 1-10000" % (val)
            sys.exit(1)
        opt_txqueuelen = intval
    elif opt=="snat":
        intval = int(val)
        if val=="1":
            opt_snat = True
    elif opt=="dropkern":
        intval = int(val)
        if val=="1":
            opt_dropkern = True
    elif opt=="pointopoint":
        opt_pointopoint = val.strip()
        try:
            socket.inet_aton(opt_pointopoint)
        except socket.error,e:
            print >>sys.stderr, "could not parse pointopoint: %s" % (e,)
            sys.exit(1)
    elif opt=="vswitch":
        opt_ovs_dp = val
    # support several formats, parse later on
    elif opt=="gre":
        opt_gre = val
    elif opt=="remote":
        opt_gre_remote = val.strip()
        try:
            socket.inet_aton(opt_gre_remote)
        except socket.error,e:
            print >>sys.stderr, "could not parse remote: %s" % (e,)
            sys.exit(1)
    elif opt=="mtu":
        intval = int(val)
        if intval<1:
            print >>sys.stderr, "MTU value %s out of range" % (val)
            sys.exit(1)
        opt_mtu = intval
    else:
        print >>sys.stderr, "Unknown option: \"%s\"" % (opt)
        sys.exit(1)

# post processing for gre mode
if opt_gre:
    if not opt_pointopoint:
        print >>sys.stderr, "GRE tunnels need a pointopoint address"
        sys.exit(1)
    if not opt_gre_remote:
        print >>sys.stderr, "GRE tunnels need a pointopoint address"
        sys.exit(1)

    if vif.startswith('tun'):
        opt_gre_type = 'gre'
    else:
        opt_gre_type = 'gretap'

    opt_gre=opt_gre.lower()
    # helper - keys are expected between 0 and 2**32-1
    def gre_hash (string):
        return hash(string) & 0xffffffff
    # compute gre_key according to option format
    if opt_gre in ('yes','true','name'):
        gre_key=gre_hash(slicename)
    elif opt_gre in ('id','sliceid'):
        # use slice_id as the key - this is the one from myplc - won't work across federation
        gre_key = int(open("/etc/vservers/%s/slice_id" % (slicename,),"r").read().strip())
    elif opt_gre.isdigit():
        # use as-is
        gre_key=int(opt_gre)
    else:
        # hash the provided string
        gre_key=gre_hash(opt_gre)
    ### temporary - debug 
    ### use ip tunnel show to obtain the key, but it only works with IP over GRE
    #open('/tmp/%s.key'%vif,'w').write('%s\n'%gre_key)


### Configure interface

cmd_ifconfig = "/sbin/ifconfig %s %s" % (vif, vip)
if opt_pointopoint is None:
    cmd_ifconfig += "/%d" % (vmask,)
else:
    # point-to-point mask
    cmd_ifconfig += " netmask 255.255.255.255"
if opt_txqueuelen is not None:
    cmd_ifconfig += " txqueuelen %d" % (opt_txqueuelen,)
if opt_pointopoint is not None:
    cmd_ifconfig += " pointopoint %s" % (opt_pointopoint,)
if opt_mtu is not None:
    cmd_ifconfig += " mtu %d" % (opt_mtu,)

# Add iptables rules (Clearing old ones first, if they exist)
cmd_iptables_in = "/sbin/iptables -A INPUT -i %s -m mark -m state --state NEW ! --mark %d -j DROP" % (vif, sliceid)
cmd_iptables_del_in = "/sbin/iptables -D INPUT -i %s -m mark -m state --state NEW ! --mark %d -j DROP 2>/dev/null" % (vif, sliceid)
cmd_iptables_out = "/sbin/iptables -A OUTPUT -o %s -m state --state NEW -m mark ! --mark %d -j DROP" % (vif, sliceid)
cmd_iptables_del_out = "/sbin/iptables -D OUTPUT -o %s -m state --state NEW -m mark ! --mark %d -j DROP 2>/dev/null" % (vif, sliceid)

# this initial form should work again now, but for some reason on 2.6.27, 'ip route get ...' returns an empty line
#public_src = os.popen("ip route get 1.1.1.1 | head -1 | awk '{print $7;}'").read().rstrip();
public_src = os.popen("ifconfig | grep $(ip route | grep default | awk '{print $3}' | awk -F. '{print $1\"[.]\"$2}') | head -1 | awk '{print $2}' | awk -F : '{print $2}'").read().rstrip()
cmd_iptables_pr = "/sbin/iptables -t nat -A POSTROUTING -s %s/%d -j SNAT --to-source %s --random" % (vip, vmask, public_src)
cmd_iptables_del_pr = "/sbin/iptables -t nat -D POSTROUTING -s %s/%d -j SNAT --to-source %s --random > /dev/null 2>&1" % (vip, vmask, public_src)

cmd_iptables_dk = "/sbin/iptables -I OUTPUT -p tcp -s %s/%d --tcp-flags RST RST -j DROP"%(vip,vmask)
cmd_iptables_del_dk = "/sbin/iptables -D OUTPUT -p tcp -s %s/%d --tcp-flags RST RST -j DROP > /dev/null 2>&1"%(vip,vmask)

if opt_gre:
    cmd_gre_setup = "modprobe ip_gre ; ip link add %s type %s remote %s local %s ttl 64 csum key %s" % (
        vif, opt_gre_type, opt_gre_remote, public_src, gre_key )
    cmd_iptables_gre_pr = "/sbin/iptables -t mangle -A INPUT -i %s -m mark --mark 0 -j MARK --set-mark %s 2>/dev/null" % (
        vif, int(sliceid))

    os.system(cmd_gre_setup)
    os.system(cmd_iptables_gre_pr)

os.system(cmd_ifconfig)

os.system(cmd_iptables_del_in)
os.system(cmd_iptables_in)
os.system(cmd_iptables_del_out)
os.system(cmd_iptables_out)

# always remove snat rules
# in case there are leftovers from previous calls
os.system(cmd_iptables_del_pr)
if (opt_snat):
    os.system(cmd_iptables_pr)

os.system(cmd_iptables_del_dk)
if (opt_snat):
    os.system(cmd_iptables_dk)

# Process additional options
if opt_rp_filter is not None:
    rp_cmd = "/sbin/sysctl net.ipv4.conf.%s.rp_filter=%s" % (vif, opt_rp_filter)
    os.system(rp_cmd)

# OVS datapath
if opt_ovs_dp is not None:
    cmd_ovs_addif = "ovs-dpctl add-if %s %s"%(opt_ovs_dp,vif)
    os.system(cmd_ovs_addif)