init/common/lxc-net.in

1281N/A#!/bin/sh -
1186N/A
1186N/Adistrosysconfdir="@LXC_DISTRO_SYSCONF@"
0N/Avarrun="@RUNTIME_PATH@/lxc"
0N/Avarlib="@LOCALSTATEDIR@/lib"
0N/A
1281N/A# These can be overridden in @LXC_DISTRO_SYSCONF@/lxc
0N/A#   or in @LXC_DISTRO_SYSCONF@/lxc-net
0N/A
0N/AUSE_LXC_BRIDGE="true"
0N/ALXC_BRIDGE="lxcbr0"
0N/ALXC_BRIDGE_MAC="00:16:3e:00:00:00"
0N/ALXC_ADDR="10.0.3.1"
0N/ALXC_NETMASK="255.255.255.0"
0N/ALXC_NETWORK="10.0.3.0/24"
0N/ALXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
0N/ALXC_DHCP_MAX="253"
0N/ALXC_DHCP_CONFILE=""
0N/ALXC_DOMAIN=""
0N/A
1297N/ALXC_IPV6_ADDR=""
0N/ALXC_IPV6_MASK=""
1356N/ALXC_IPV6_NETWORK=""
1186N/ALXC_IPV6_NAT="false"
1186N/A
1466N/A[ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc
1186N/A
1186N/Ause_iptables_lock="-w"
1186N/Aiptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
1478N/A
1186N/A_netmask2cidr ()
1186N/A{
0N/A    # Assumes there's no "255." after a non-255 byte in the mask
1478N/A    local x=${1##*255.}
1478N/A    set -- 0^^^128^192^224^240^248^252^254^ $(( (${#1} - ${#x})*2 )) ${x%%.*}
1478N/A    x=${1%%$3*}
1186N/A    echo $(( $2 + (${#x}/4) ))
1186N/A}
1355N/A
1478N/Aifdown() {
1478N/A    ip addr flush dev $1
1478N/A    ip link set dev $1 down
1478N/A}
1186N/A
1186N/Aifup() {
1478N/A    MASK=`_netmask2cidr ${LXC_NETMASK}`
962N/A    CIDR_ADDR="${LXC_ADDR}/${MASK}"
1186N/A    ip addr add ${CIDR_ADDR} dev $1
1186N/A    ip link set dev $1 address $LXC_BRIDGE_MAC
1281N/A    ip link set dev $1 up
1281N/A}
1281N/A
1281N/Astart() {
1281N/A    [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
1470N/A
1281N/A    [ ! -f "${varrun}/network_up" ] || { echo "lxc-net is already running"; exit 1; }
962N/A
1281N/A    if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
1470N/A        stop force || true
1470N/A    fi
1281N/A
1281N/A    FAILED=1
1281N/A
1281N/A    cleanup() {
1281N/A        set +e
1470N/A        if [ "$FAILED" = "1" ]; then
1470N/A            echo "Failed to setup lxc-net." >&2
1281N/A            stop force
1281N/A            exit 1
1281N/A        fi
1281N/A    }
1470N/A
1470N/A    trap cleanup EXIT HUP INT TERM
1281N/A    set -e
1281N/A
1281N/A    # set up the lxc network
1281N/A    [ ! -d /sys/class/net/${LXC_BRIDGE} ] && ip link add dev ${LXC_BRIDGE} type bridge
1281N/A    echo 1 > /proc/sys/net/ipv4/ip_forward
1466N/A    echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/accept_dad || true
1281N/A
1466N/A    # if we are run from systemd on a system with selinux enabled,
1466N/A    # the mkdir will create /run/lxc as init_var_run_t which dnsmasq
1466N/A    # can't write its pid into, so we restorecon it (to var_run_t)
1281N/A    if [ ! -d "${varrun}" ]; then
1281N/A        mkdir -p "${varrun}"
1281N/A        if which restorecon >/dev/null 2>&1; then
1281N/A            restorecon "${varrun}"
1281N/A        fi
1186N/A    fi
1355N/A
1354N/A    ifup ${LXC_BRIDGE} ${LXC_ADDR} ${LXC_NETMASK}
1186N/A
1186N/A    LXC_IPV6_ARG=""
1186N/A    if [ -n "$LXC_IPV6_ADDR" ] && [ -n "$LXC_IPV6_MASK" ] && [ -n "$LXC_IPV6_NETWORK" ]; then
1281N/A        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
1466N/A        echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/autoconf
1281N/A        ip -6 addr add dev ${LXC_BRIDGE} ${LXC_IPV6_ADDR}/${LXC_IPV6_MASK}
1281N/A        if [ "$LXC_IPV6_NAT" = "true" ]; then
1281N/A            ip6tables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
1281N/A        fi
1281N/A        LXC_IPV6_ARG="--dhcp-range=${LXC_IPV6_ADDR},ra-only --listen-address ${LXC_IPV6_ADDR}"
1390N/A    fi
1281N/A    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
1281N/A    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
1281N/A    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
1281N/A    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
1469N/A    iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
1281N/A    iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
1281N/A    iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
1281N/A    iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
1281N/A
1481N/A    LXC_DOMAIN_ARG=""
1481N/A    if [ -n "$LXC_DOMAIN" ]; then
1481N/A        LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
1481N/A    fi
1481N/A
1481N/A    LXD_DHCP_CONFILE_ARG=""
1481N/A    if [ -n "$LXC_DHCP_CONFILE" ]; then
1481N/A        LXC_DHCP_CONFILE_ARG="--conf-file=${LXC_DHCP_CONFILE}"
1481N/A    fi
1481N/A
1481N/A    # https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-October/010561.html
1481N/A    for DNSMASQ_USER in lxc-dnsmasq dnsmasq nobody
1481N/A    do
1481N/A        if getent passwd ${DNSMASQ_USER} >/dev/null; then
1481N/A            break
1481N/A        fi
1481N/A    done
1481N/A
1481N/A    dnsmasq $LXC_DHCP_CONFILE_ARG $LXC_DOMAIN_ARG -u ${DNSMASQ_USER} \
1481N/A            --strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid \
1481N/A            --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} \
1481N/A            --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override \
1481N/A            --except-interface=lo --interface=${LXC_BRIDGE} \
1281N/A            --dhcp-leasefile="${varlib}"/misc/dnsmasq.${LXC_BRIDGE}.leases \
1281N/A            --dhcp-authoritative $LXC_IPV6_ARG || cleanup
1281N/A
1281N/A    touch "${varrun}"/network_up
1481N/A    FAILED=0
1355N/A}
1281N/A
1281N/Astop() {
1481N/A    [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
1281N/A
1281N/A    [ -f "${varrun}/network_up" ] || [ "$1" = "force" ] || { echo "lxc-net isn't running"; exit 1; }
1355N/A
1281N/A    if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
1355N/A        ifdown ${LXC_BRIDGE}
1281N/A        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
1355N/A        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
1466N/A        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
1281N/A        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
1281N/A        iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
1355N/A        iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
1281N/A        iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
1355N/A        iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
1466N/A
1355N/A        if [ "$LXC_IPV6_NAT" = "true" ]; then
1355N/A            ip6tables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
1281N/A        fi
1281N/A
1281N/A        pid=`cat "${varrun}"/dnsmasq.pid 2>/dev/null` && kill -9 $pid
1281N/A        rm -f "${varrun}"/dnsmasq.pid
1281N/A        # if $LXC_BRIDGE has attached interfaces, don't destroy the bridge
1281N/A        ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 || ip link delete ${LXC_BRIDGE}
1281N/A    fi
1281N/A
1281N/A    rm -f "${varrun}"/network_up
1281N/A}
1281N/A
1281N/A# See how we were called.
1281N/Acase "$1" in
1281N/A    start)
1281N/A        start
1281N/A    ;;
1466N/A
1469N/A    stop)
1281N/A        stop
1281N/A    ;;
1466N/A
1281N/A    restart|reload|force-reload)
1281N/A        $0 stop
1423N/A        $0 start
1281N/A    ;;
1281N/A
1281N/A    *)
1281N/A        echo "Usage: $0 {start|stop|restart|reload|force-reload}"
1281N/A        exit 2
1281N/Aesac
1281N/A
1281N/Aexit $?
1281N/A