XEN network masqu/routing

Aus Neobikers Wiki
Zur Navigation springen Zur Suche springen

XEN Netzwerk mit Masquerading/Routing auf SuSE 10.1 Notebook

Ich verwende folgendes Script unter SuSE 10.1 auf einem Notebook und WLAN mittels ndiswrapper in einer sehr speziellen Konfiguration: Da ich mit dem WLAN-Device wlan0 keine Standard-XEN-Bridge (peth0,eth0 -> xenbr0) zum laufen bekomme (evtl. wegen dem ndiswrapper?) muss ich Routing und Masquerading auf dem WLAN-Device verwenden. Dazu gebe ich den beiden XEN-Bridges (GREEN und RED) jeweils eine IP-Adresse und benutze die Firewall über normales Routing.

Notebook mittels WLAN (ndiswrapper) und Routing/Masquerading (wlan0)

route -n
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 xenbr0  # GREEN
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 xenbr1  # RED
10.0.2.0        10.0.0.1        255.255.255.0   UG    0      0        0 xenbr0  # ORANGE
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0   # WLAN
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 wlan0   # not used
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 wlan0   # WLAN

SuSE 10.1: Startup XEN-Network on Boot

/etc/init.d/after.local
#!/bin/sh

netdev=$(ip route list | awk '/^default / { print $NF }')

if [ -n "${netdev}" ]; then
    echo "Starting EFW2 XEN Network Setup "
    /etc/xen/scripts/network-fw3wlan start

    echo "Starting EFW2 (XEN) "
    xm create efw

    echo "Starting DMZ (XEN) "
    xm create dmz

    #echo "Starting DEVEL (XEN) "
    #xm create devel

    /sbin/rcSuSEfirewall2 start
fi

3-Zonen Konfiguration mit Routing/Masquerading

#!/bin/sh
#============================================================================
# Xen network start/stop script.
#
# Xend calls a network script when it starts.
# The script name to use is defined in /etc/xen/xend-config.sxp
# in the network-script field.
# ---------------------------------------------------------------------------
# It creates a XEN network setup with 3 bridges for a firewall in a domU
# like IPCop / Shorewall / Endian Firewall with GREEN, RED and ORANGE net.
#
# This script creates 3 bridges (default xenbr0-2), gives the first
# bridge (xenbr0 = GREEN) an IP address, and the 2.nd bridge (xenbr1 = RED)
# optional also.  It will set a route to the net's definded for the bridges.
# ---------------------------------------------------------------------------
# If all goes well, this should ensure that networking stays up.
# However, some configurations are upset by this, especially
# NFS roots. If the bridged setup does not meet your needs,
# configure a different script, for example using routing instead.
#
# Usage: network-fw3wlan (start|stop|status) {VAR=VAL}*
#
# Vars (all optional):
#
# bridge[0-2]    The bridge to use (default xenbr${vifnum}).
#
# bridgeip[0-1]  Holds the ip address the bridge should have in the
#                the form ip/mask (10.0.0.1/24).
#
# brnet[0-2]     Holds the network of the bridge (10.0.0.1/24).
#
# netdev         The network device of dom0 (default from defaultroute)
#
# vifnum         Virtual device number to use (default 0). Numbers >=8
#                require the netback driver to have nloopbacks set to a
#                higher value than its default of 8.
#
# start:
# Create the bridges, set up IP addresses and routes
#
# stop:
# Removes all routes from the bridge
# Removes any devices on the bridge from it.
# Deletes bridge
#
# status:
# Print addresses, interfaces, routes
#
#============================================================================

dir=$(dirname "$0")
. "$dir/xen-script-common.sh"
. "$dir/xen-network-common.sh"

findCommand "$@"
evalVariables "$@"

vifnum=${vifnum:-$(ip route list | awk '/^default / { print $NF }' | sed 's/^[^0-9]*//')}
vifnum=${vifnum:-0}
netdev=${netdev:-$(ip route list | awk '/^default / { print $NF }')}
netdev=${netdev:-eth${vifnum}}
antispoof=${antispoof:-no}

pdev="p${netdev}"
vdev="veth${vifnum}"
vif0="vif0.${vifnum}"

link_exists () {
   if ip link show "$1" >/dev/null 2>/dev/null
   then
        return 0
    else
        return 1
    fi
}

# Usage: show_status dev bridge
# Print ifconfig and routes.
show_status () {
    local dev=$1
    local bridge=$2

    echo '============================================================'
    ip addr show ${dev}
    ip addr show ${bridge}
    echo ' '
    brctl show ${bridge}
    echo ' '
    ip route list
    echo ' '
    route -n
    echo '============================================================'
}

# check for default XEN interfaces
check_xen_if () {
    if ! link_exists "$vdev"; then
        if link_exists "$pdev"; then
            # The device is already up.
            return
        else
            echo "
Link $vdev is missing.
This may be because you have reached the limit of the number of interfaces
that the loopback driver supports.  If the loopback driver is a module, you
may raise this limit by passing it as a parameter (nloopbacks=<N>); if the
driver is compiled statically into the kernel, then you may set the parameter
using loopback.nloopbacks=<N> on the domain 0 kernel command line.
" >&2
            exit 1
        fi
    fi
}

op_start () {

    check_xen_if

    ###
    # GREEN LAN:
    #  EFW (eth0: 10.0.0.1/24)
    #   |
    # xenbr0------- more XEN domU's in LAN (10.0.0.x/24)
    #   |
    #   +--Dom0 (xenbr0: 10.0.0.254/24)

    bridge=${bridge0:-xenbr0}
    bridgeip=${br0ip:-10.0.0.254}
    brnet=${br0net:-10.0.0.0/24}
    brcast=${br0cast:-10.0.0.255}
    br0gw=${br0gw:-$(echo $brnet | cut -d/ -f1 | cut -d. -f-3).1}
    brnm="`echo $brnet | cut -d/ -f2`"

    create_bridge ${bridge}

    if link_exists "${bridge}"; then
        ip link set ${bridge} up arp on

        # Add IP-Address to Bridge if wlan is default-gateway
        if [ "${netdev}" = "wlan${vifnum}" ]; then
            if [ -n "${bridgeip}" ]; then
                ip address add ${bridgeip}/${brnm} broadcast ${brcast} dev ${bridge} || true
                #ip route add to ${brnet} dev ${bridge} || true
            fi
        fi
    fi

    ###
    # RED INTERFACE:
    #  EFW (eth1: 10.0.1.1/24)
    #   |
    # xenbr1     $netdev (masquerade)
    #   |        |
    #   +--Dom0--+
    #   (routing via xenbr1: 10.0.1.254)

    bridge=${bridge1:-xenbr1}
    bridgeip=${br1ip:-10.0.1.254}
    brnet=${br1net:-10.0.1.0/24}
    brcast=${br1cast:-10.0.1.255}
    brnm="`echo $brnet | cut -d/ -f2`"

    create_bridge ${bridge}

    if link_exists "$bridge"; then
        ip link set ${bridge} up arp on

        # Add $netdev or IP-Address to Bridge
        if [ "${netdev}" != "wlan${vifnum}" ]; then
            if link_exists "${netdev}"; then
                if ! ifdown ${netdev}; then
                    ip link set ${netdev} down
                    ip addr flush ${netdev}
                fi
                setup_bridge_port ${netdev}
                add_to_bridge ${bridge} ${netdev}
            fi
        else
            if [ -n "${bridgeip}" ]; then
                ip address add ${bridgeip}/${brnm} broadcast ${brcast} dev ${bridge} || true
                #ip route add to ${brnet} dev ${bridge} || true
            fi
        fi
    fi

    ###
    # ORANGE DMZ: setup route via EFW
    #  EFW (eth2: 10.0.2.1/24)
    #   |
    # xenbr2----- more XEN domU's in DMZ (10.0.2.x/24)
    #   |
    #   +--DMZ1 (eth0: 10.0.2.x/24)

    bridge=${bridge2:-xenbr2}
    brnet=${br2net:-10.0.2.0/24}

    create_bridge ${bridge}

    if link_exists ${bridge}; then
        ip link set ${bridge} up arp on
        if [ -n "${br0gw}" ]; then
            ip route add to ${brnet} via ${br0gw} || true
        fi
    fi
}

op_stop () {

    ###
    # GREEN:

    bridge=${bridge0:-xenbr0}
    bridgeip=${br0ip:-10.0.0.254}
    brnet=${br0net:-10.0.0.0/24}
    br0gw=${br0gw:-$(echo $brnet | cut -d/ -f1 | cut -d. -f-3).1}

    if link_exists ${bridge}; then
        ip route del to ${brnet} dev ${bridge} || true
        ip address del dev ${bridge} ${bridgeip}/32 || true
        ip link set ${bridge} down arp off || true

        ##FIXME: 1st disconnect the correct interfaces from the bridge
        brctl delif ${bridge} vif1.0 || true
        brctl delbr ${bridge}
    fi

    ###
    # RED INTERFACE:

    bridge=${bridge1:-xenbr1}
    bridgeip=${br1ip:-10.0.1.254}
    brnet=${br1net:-10.0.1.0/24}

    if link_exists ${bridge}; then
        ip route del to ${brnet} dev ${bridge} || true
        ip address del dev ${bridge} ${bridgeip}/32 || true
        ip link set ${bridge} down arp off || true

        ##FIXME: 1st disconnect the correct interfaces from the bridge
        brctl delif ${bridge} vif1.1 || true
        brctl delbr ${bridge}
    fi

    ###
    # ORANGE DMZ:
    # Bridge has no IP
    bridge=${bridge2:-xenbr2}
    brnet=${br2net:-10.0.0.0/24}

    if link_exists ${bridge}; then
        ip route del to ${brnet} via ${br0gw}/32 || true
        ip link set ${bridge} down arp off || true

        ##FIXME: 1st disconnect the correct interfaces from the bridge
        brctl delif ${bridge} vif1.2 || true
        brctl delif ${bridge} vif2.0 || true
        brctl delbr ${bridge}
    fi

    rcSuSEfirewall2 start
}

case "$command" in
    start)
        op_start
        ;;

    stop)
        op_stop
        ;;

    status)
        show_status ${netdev} ${bridge}
        ;;

    *)
        echo "Unknown command: $command" >&2
        echo 'Valid commands are: start, stop, status' >&2
        exit 1
esac