XEN network masqu/routing
Zur Navigation springen
Zur Suche springen
XEN Netzwerk mit Masquerading/Routing auf SuSE 10.1 Notebook
Ich verwende folgendes Script unter SuSE 10.1 auf einem Notebook und WLAN mittels ndiswrapper in einer sehr speziellen Konfiguration: Da ich mit dem WLAN-Device wlan0 keine Standard-XEN-Bridge (peth0,eth0 -> xenbr0) zum laufen bekomme (evtl. wegen dem ndiswrapper?) muss ich Routing und Masquerading auf dem WLAN-Device verwenden. Dazu gebe ich den beiden XEN-Bridges (GREEN und RED) jeweils eine IP-Adresse und benutze die Firewall über normales Routing.
Notebook mittels WLAN (ndiswrapper) und Routing/Masquerading (wlan0)
route -n Kernel IP Routentabelle Ziel Router Genmask Flags Metric Ref Use Iface 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 xenbr0 # GREEN 10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 xenbr1 # RED 10.0.2.0 10.0.0.1 255.255.255.0 UG 0 0 0 xenbr0 # ORANGE 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 # WLAN 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0 # not used 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 wlan0 # WLAN
SuSE 10.1: Startup XEN-Network on Boot
/etc/init.d/after.local
#!/bin/sh
netdev=$(ip route list | awk '/^default / { print $NF }')
if [ -n "${netdev}" ]; then
echo "Starting EFW2 XEN Network Setup "
/etc/xen/scripts/network-fw3wlan start
echo "Starting EFW2 (XEN) "
xm create efw
echo "Starting DMZ (XEN) "
xm create dmz
#echo "Starting DEVEL (XEN) "
#xm create devel
/sbin/rcSuSEfirewall2 start
fi
3-Zonen Konfiguration mit Routing/Masquerading
#!/bin/sh
#============================================================================
# Xen network start/stop script.
#
# Xend calls a network script when it starts.
# The script name to use is defined in /etc/xen/xend-config.sxp
# in the network-script field.
# ---------------------------------------------------------------------------
# It creates a XEN network setup with 3 bridges for a firewall in a domU
# like IPCop / Shorewall / Endian Firewall with GREEN, RED and ORANGE net.
#
# This script creates 3 bridges (default xenbr0-2), gives the first
# bridge (xenbr0 = GREEN) an IP address, and the 2.nd bridge (xenbr1 = RED)
# optional also. It will set a route to the net's definded for the bridges.
# ---------------------------------------------------------------------------
# If all goes well, this should ensure that networking stays up.
# However, some configurations are upset by this, especially
# NFS roots. If the bridged setup does not meet your needs,
# configure a different script, for example using routing instead.
#
# Usage: network-fw3wlan (start|stop|status) {VAR=VAL}*
#
# Vars (all optional):
#
# bridge[0-2] The bridge to use (default xenbr${vifnum}).
#
# bridgeip[0-1] Holds the ip address the bridge should have in the
# the form ip/mask (10.0.0.1/24).
#
# brnet[0-2] Holds the network of the bridge (10.0.0.1/24).
#
# netdev The network device of dom0 (default from defaultroute)
#
# vifnum Virtual device number to use (default 0). Numbers >=8
# require the netback driver to have nloopbacks set to a
# higher value than its default of 8.
#
# start:
# Create the bridges, set up IP addresses and routes
#
# stop:
# Removes all routes from the bridge
# Removes any devices on the bridge from it.
# Deletes bridge
#
# status:
# Print addresses, interfaces, routes
#
#============================================================================
dir=$(dirname "$0")
. "$dir/xen-script-common.sh"
. "$dir/xen-network-common.sh"
findCommand "$@"
evalVariables "$@"
vifnum=${vifnum:-$(ip route list | awk '/^default / { print $NF }' | sed 's/^[^0-9]*//')}
vifnum=${vifnum:-0}
netdev=${netdev:-$(ip route list | awk '/^default / { print $NF }')}
netdev=${netdev:-eth${vifnum}}
antispoof=${antispoof:-no}
pdev="p${netdev}"
vdev="veth${vifnum}"
vif0="vif0.${vifnum}"
link_exists () {
if ip link show "$1" >/dev/null 2>/dev/null
then
return 0
else
return 1
fi
}
# Usage: show_status dev bridge
# Print ifconfig and routes.
show_status () {
local dev=$1
local bridge=$2
echo '============================================================'
ip addr show ${dev}
ip addr show ${bridge}
echo ' '
brctl show ${bridge}
echo ' '
ip route list
echo ' '
route -n
echo '============================================================'
}
# check for default XEN interfaces
check_xen_if () {
if ! link_exists "$vdev"; then
if link_exists "$pdev"; then
# The device is already up.
return
else
echo "
Link $vdev is missing.
This may be because you have reached the limit of the number of interfaces
that the loopback driver supports. If the loopback driver is a module, you
may raise this limit by passing it as a parameter (nloopbacks=<N>); if the
driver is compiled statically into the kernel, then you may set the parameter
using loopback.nloopbacks=<N> on the domain 0 kernel command line.
" >&2
exit 1
fi
fi
}
op_start () {
check_xen_if
###
# GREEN LAN:
# EFW (eth0: 10.0.0.1/24)
# |
# xenbr0------- more XEN domU's in LAN (10.0.0.x/24)
# |
# +--Dom0 (xenbr0: 10.0.0.254/24)
bridge=${bridge0:-xenbr0}
bridgeip=${br0ip:-10.0.0.254}
brnet=${br0net:-10.0.0.0/24}
brcast=${br0cast:-10.0.0.255}
br0gw=${br0gw:-$(echo $brnet | cut -d/ -f1 | cut -d. -f-3).1}
brnm="`echo $brnet | cut -d/ -f2`"
create_bridge ${bridge}
if link_exists "${bridge}"; then
ip link set ${bridge} up arp on
# Add IP-Address to Bridge if wlan is default-gateway
if [ "${netdev}" = "wlan${vifnum}" ]; then
if [ -n "${bridgeip}" ]; then
ip address add ${bridgeip}/${brnm} broadcast ${brcast} dev ${bridge} || true
#ip route add to ${brnet} dev ${bridge} || true
fi
fi
fi
###
# RED INTERFACE:
# EFW (eth1: 10.0.1.1/24)
# |
# xenbr1 $netdev (masquerade)
# | |
# +--Dom0--+
# (routing via xenbr1: 10.0.1.254)
bridge=${bridge1:-xenbr1}
bridgeip=${br1ip:-10.0.1.254}
brnet=${br1net:-10.0.1.0/24}
brcast=${br1cast:-10.0.1.255}
brnm="`echo $brnet | cut -d/ -f2`"
create_bridge ${bridge}
if link_exists "$bridge"; then
ip link set ${bridge} up arp on
# Add $netdev or IP-Address to Bridge
if [ "${netdev}" != "wlan${vifnum}" ]; then
if link_exists "${netdev}"; then
if ! ifdown ${netdev}; then
ip link set ${netdev} down
ip addr flush ${netdev}
fi
setup_bridge_port ${netdev}
add_to_bridge ${bridge} ${netdev}
fi
else
if [ -n "${bridgeip}" ]; then
ip address add ${bridgeip}/${brnm} broadcast ${brcast} dev ${bridge} || true
#ip route add to ${brnet} dev ${bridge} || true
fi
fi
fi
###
# ORANGE DMZ: setup route via EFW
# EFW (eth2: 10.0.2.1/24)
# |
# xenbr2----- more XEN domU's in DMZ (10.0.2.x/24)
# |
# +--DMZ1 (eth0: 10.0.2.x/24)
bridge=${bridge2:-xenbr2}
brnet=${br2net:-10.0.2.0/24}
create_bridge ${bridge}
if link_exists ${bridge}; then
ip link set ${bridge} up arp on
if [ -n "${br0gw}" ]; then
ip route add to ${brnet} via ${br0gw} || true
fi
fi
}
op_stop () {
###
# GREEN:
bridge=${bridge0:-xenbr0}
bridgeip=${br0ip:-10.0.0.254}
brnet=${br0net:-10.0.0.0/24}
br0gw=${br0gw:-$(echo $brnet | cut -d/ -f1 | cut -d. -f-3).1}
if link_exists ${bridge}; then
ip route del to ${brnet} dev ${bridge} || true
ip address del dev ${bridge} ${bridgeip}/32 || true
ip link set ${bridge} down arp off || true
##FIXME: 1st disconnect the correct interfaces from the bridge
brctl delif ${bridge} vif1.0 || true
brctl delbr ${bridge}
fi
###
# RED INTERFACE:
bridge=${bridge1:-xenbr1}
bridgeip=${br1ip:-10.0.1.254}
brnet=${br1net:-10.0.1.0/24}
if link_exists ${bridge}; then
ip route del to ${brnet} dev ${bridge} || true
ip address del dev ${bridge} ${bridgeip}/32 || true
ip link set ${bridge} down arp off || true
##FIXME: 1st disconnect the correct interfaces from the bridge
brctl delif ${bridge} vif1.1 || true
brctl delbr ${bridge}
fi
###
# ORANGE DMZ:
# Bridge has no IP
bridge=${bridge2:-xenbr2}
brnet=${br2net:-10.0.0.0/24}
if link_exists ${bridge}; then
ip route del to ${brnet} via ${br0gw}/32 || true
ip link set ${bridge} down arp off || true
##FIXME: 1st disconnect the correct interfaces from the bridge
brctl delif ${bridge} vif1.2 || true
brctl delif ${bridge} vif2.0 || true
brctl delbr ${bridge}
fi
rcSuSEfirewall2 start
}
case "$command" in
start)
op_start
;;
stop)
op_stop
;;
status)
show_status ${netdev} ${bridge}
;;
*)
echo "Unknown command: $command" >&2
echo 'Valid commands are: start, stop, status' >&2
exit 1
esac