--- /dev/null
+# Copyright (c) 2011 X.commerce, a business unit of eBay Inc.
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+"""Implements vlans, bridges, and iptables rules using linux utilities."""
+
+import calendar
+import inspect
+import os
+import re
+import time
+
+import netaddr
+from oslo_concurrency import processutils
+from oslo_config import cfg
+from oslo_log import log as logging
+from oslo_serialization import jsonutils
+from oslo_utils import excutils
+from oslo_utils import importutils
+from oslo_utils import timeutils
+import six
+
+from nova import exception
+from nova.i18n import _, _LE, _LW
+from nova import objects
+from nova.openstack.common import fileutils
+from nova import paths
+from nova.pci import utils as pci_utils
+from nova import utils
+
+LOG = logging.getLogger(__name__)
+
+
+linux_net_opts = [
+ cfg.MultiStrOpt('dhcpbridge_flagfile',
+ default=['/etc/nova/nova-dhcpbridge.conf'],
+ help='Location of flagfiles for dhcpbridge'),
+ cfg.StrOpt('networks_path',
+ default=paths.state_path_def('networks'),
+ help='Location to keep network config files'),
+ cfg.StrOpt('public_interface',
+ default='eth0',
+ help='Interface for public IP addresses'),
+ cfg.StrOpt('dhcpbridge',
+ default=paths.bindir_def('nova-dhcpbridge'),
+ help='Location of nova-dhcpbridge'),
+ cfg.StrOpt('routing_source_ip',
+ default='$my_ip',
+ help='Public IP of network host'),
+ cfg.IntOpt('dhcp_lease_time',
+ default=86400,
+ help='Lifetime of a DHCP lease in seconds'),
+ cfg.MultiStrOpt('dns_server',
+ default=[],
+ help='If set, uses specific DNS server for dnsmasq. Can'
+ ' be specified multiple times.'),
+ cfg.BoolOpt('use_network_dns_servers',
+ default=False,
+ help='If set, uses the dns1 and dns2 from the network ref.'
+ ' as dns servers.'),
+ cfg.ListOpt('dmz_cidr',
+ default=[],
+ help='A list of dmz ranges that should be accepted'),
+ cfg.MultiStrOpt('force_snat_range',
+ default=[],
+ help='Traffic to this range will always be snatted to the '
+ 'fallback ip, even if it would normally be bridged out '
+ 'of the node. Can be specified multiple times.'),
+ cfg.StrOpt('dnsmasq_config_file',
+ default='',
+ help='Override the default dnsmasq settings with this file'),
+ cfg.StrOpt('linuxnet_interface_driver',
+ default='nova.network.linux_net.LinuxBridgeInterfaceDriver',
+ help='Driver used to create ethernet devices.'),
+ cfg.StrOpt('linuxnet_ovs_integration_bridge',
+ default='br-int',
+ help='Name of Open vSwitch bridge used with linuxnet'),
+ cfg.BoolOpt('send_arp_for_ha',
+ default=False,
+ help='Send gratuitous ARPs for HA setup'),
+ cfg.IntOpt('send_arp_for_ha_count',
+ default=3,
+ help='Send this many gratuitous ARPs for HA setup'),
+ cfg.BoolOpt('use_single_default_gateway',
+ default=False,
+ help='Use single default gateway. Only first nic of vm will '
+ 'get default gateway from dhcp server'),
+ cfg.MultiStrOpt('forward_bridge_interface',
+ default=['all'],
+ help='An interface that bridges can forward to. If this '
+ 'is set to all then all traffic will be forwarded. '
+ 'Can be specified multiple times.'),
+ cfg.StrOpt('metadata_host',
+ default='$my_ip',
+ help='The IP address for the metadata API server'),
+ cfg.IntOpt('metadata_port',
+ default=8775,
+ help='The port for the metadata API port'),
+ cfg.StrOpt('iptables_top_regex',
+ default='',
+ help='Regular expression to match the iptables rule that '
+ 'should always be on the top.'),
+ cfg.StrOpt('iptables_bottom_regex',
+ default='',
+ help='Regular expression to match the iptables rule that '
+ 'should always be on the bottom.'),
+ cfg.StrOpt('iptables_drop_action',
+ default='DROP',
+ help='The table that iptables to jump to when a packet is '
+ 'to be dropped.'),
+ cfg.IntOpt('ovs_vsctl_timeout',
+ default=120,
+ help='Amount of time, in seconds, that ovs_vsctl should wait '
+ 'for a response from the database. 0 is to wait forever.'),
+ cfg.BoolOpt('fake_network',
+ default=False,
+ help='If passed, use fake network devices and addresses'),
+ cfg.IntOpt('ebtables_exec_attempts',
+ default=3,
+ help='Number of times to retry ebtables commands on failure.'),
+ cfg.FloatOpt('ebtables_retry_interval',
+ default=1.0,
+ help='Number of seconds to wait between ebtables retries.'),
+ ]
+
+CONF = cfg.CONF
+CONF.register_opts(linux_net_opts)
+CONF.import_opt('host', 'nova.netconf')
+CONF.import_opt('use_ipv6', 'nova.netconf')
+CONF.import_opt('my_ip', 'nova.netconf')
+CONF.import_opt('network_device_mtu', 'nova.objects.network')
+
+
+# NOTE(vish): Iptables supports chain names of up to 28 characters, and we
+# add up to 12 characters to binary_name which is used as a prefix,
+# so we limit it to 16 characters.
+# (max_chain_name_length - len('-POSTROUTING') == 16)
+def get_binary_name():
+ """Grab the name of the binary we're running in."""
+ return os.path.basename(inspect.stack()[-1][1])[:16]
+
+binary_name = get_binary_name()
+
+
+class IptablesRule(object):
+ """An iptables rule.
+
+ You shouldn't need to use this class directly, it's only used by
+ IptablesManager.
+
+ """
+
+ def __init__(self, chain, rule, wrap=True, top=False):
+ self.chain = chain
+ self.rule = rule
+ self.wrap = wrap
+ self.top = top
+
+ def __eq__(self, other):
+ return ((self.chain == other.chain) and
+ (self.rule == other.rule) and
+ (self.top == other.top) and
+ (self.wrap == other.wrap))
+
+ def __ne__(self, other):
+ return not self == other
+
+ def __repr__(self):
+ if self.wrap:
+ chain = '%s-%s' % (binary_name, self.chain)
+ else:
+ chain = self.chain
+ # new rules should have a zero [packet: byte] count
+ return '[0:0] -A %s %s' % (chain, self.rule)
+
+
+class IptablesTable(object):
+ """An iptables table."""
+
+ def __init__(self):
+ self.rules = []
+ self.remove_rules = []
+ self.chains = set()
+ self.unwrapped_chains = set()
+ self.remove_chains = set()
+ self.dirty = True
+
+ def has_chain(self, name, wrap=True):
+ if wrap:
+ return name in self.chains
+ else:
+ return name in self.unwrapped_chains
+
+ def add_chain(self, name, wrap=True):
+ """Adds a named chain to the table.
+
+ The chain name is wrapped to be unique for the component creating
+ it, so different components of Nova can safely create identically
+ named chains without interfering with one another.
+
+ At the moment, its wrapped name is <binary name>-<chain name>,
+ so if nova-compute creates a chain named 'OUTPUT', it'll actually
+ end up named 'nova-compute-OUTPUT'.
+
+ """
+ if wrap:
+ self.chains.add(name)
+ else:
+ self.unwrapped_chains.add(name)
+ self.dirty = True
+
+ def remove_chain(self, name, wrap=True):
+ """Remove named chain.
+
+ This removal "cascades". All rule in the chain are removed, as are
+ all rules in other chains that jump to it.
+
+ If the chain is not found, this is merely logged.
+
+ """
+ if wrap:
+ chain_set = self.chains
+ else:
+ chain_set = self.unwrapped_chains
+
+ if name not in chain_set:
+ LOG.warning(_LW('Attempted to remove chain %s which does not '
+ 'exist'), name)
+ return
+ self.dirty = True
+
+ # non-wrapped chains and rules need to be dealt with specially,
+ # so we keep a list of them to be iterated over in apply()
+ if not wrap:
+ self.remove_chains.add(name)
+ chain_set.remove(name)
+ if not wrap:
+ self.remove_rules += filter(lambda r: r.chain == name, self.rules)
+ self.rules = filter(lambda r: r.chain != name, self.rules)
+
+ if wrap:
+ jump_snippet = '-j %s-%s' % (binary_name, name)
+ else:
+ jump_snippet = '-j %s' % (name,)
+
+ if not wrap:
+ self.remove_rules += filter(lambda r: jump_snippet in r.rule,
+ self.rules)
+ self.rules = filter(lambda r: jump_snippet not in r.rule, self.rules)
+
+ def add_rule(self, chain, rule, wrap=True, top=False):
+ """Add a rule to the table.
+
+ This is just like what you'd feed to iptables, just without
+ the '-A <chain name>' bit at the start.
+
+ However, if you need to jump to one of your wrapped chains,
+ prepend its name with a '$' which will ensure the wrapping
+ is applied correctly.
+
+ """
+ if wrap and chain not in self.chains:
+ raise ValueError(_('Unknown chain: %r') % chain)
+
+ if '$' in rule:
+ rule = ' '.join(map(self._wrap_target_chain, rule.split(' ')))
+
+ rule_obj = IptablesRule(chain, rule, wrap, top)
+ if rule_obj in self.rules:
+ LOG.debug("Skipping duplicate iptables rule addition. "
+ "%(rule)r already in %(rules)r",
+ {'rule': rule_obj, 'rules': self.rules})
+ else:
+ self.rules.append(IptablesRule(chain, rule, wrap, top))
+ self.dirty = True
+
+ def _wrap_target_chain(self, s):
+ if s.startswith('$'):
+ return '%s-%s' % (binary_name, s[1:])
+ return s
+
+ def remove_rule(self, chain, rule, wrap=True, top=False):
+ """Remove a rule from a chain.
+
+ Note: The rule must be exactly identical to the one that was added.
+ You cannot switch arguments around like you can with the iptables
+ CLI tool.
+
+ """
+ try:
+ self.rules.remove(IptablesRule(chain, rule, wrap, top))
+ if not wrap:
+ self.remove_rules.append(IptablesRule(chain, rule, wrap, top))
+ self.dirty = True
+ except ValueError:
+ LOG.warning(_LW('Tried to remove rule that was not there:'
+ ' %(chain)r %(rule)r %(wrap)r %(top)r'),
+ {'chain': chain, 'rule': rule,
+ 'top': top, 'wrap': wrap})
+
+ def remove_rules_regex(self, regex):
+ """Remove all rules matching regex."""
+ if isinstance(regex, six.string_types):
+ regex = re.compile(regex)
+ num_rules = len(self.rules)
+ self.rules = filter(lambda r: not regex.match(str(r)), self.rules)
+ removed = num_rules - len(self.rules)
+ if removed > 0:
+ self.dirty = True
+ return removed
+
+ def empty_chain(self, chain, wrap=True):
+ """Remove all rules from a chain."""
+ chained_rules = [rule for rule in self.rules
+ if rule.chain == chain and rule.wrap == wrap]
+ if chained_rules:
+ self.dirty = True
+ for rule in chained_rules:
+ self.rules.remove(rule)
+
+
+class IptablesManager(object):
+ """Wrapper for iptables.
+
+ See IptablesTable for some usage docs
+
+ A number of chains are set up to begin with.
+
+ First, nova-filter-top. It's added at the top of FORWARD and OUTPUT. Its
+ name is not wrapped, so it's shared between the various nova workers. It's
+ intended for rules that need to live at the top of the FORWARD and OUTPUT
+ chains. It's in both the ipv4 and ipv6 set of tables.
+
+ For ipv4 and ipv6, the built-in INPUT, OUTPUT, and FORWARD filter chains
+ are wrapped, meaning that the "real" INPUT chain has a rule that jumps to
+ the wrapped INPUT chain, etc. Additionally, there's a wrapped chain named
+ "local" which is jumped to from nova-filter-top.
+
+ For ipv4, the built-in PREROUTING, OUTPUT, and POSTROUTING nat chains are
+ wrapped in the same was as the built-in filter chains. Additionally,
+ there's a snat chain that is applied after the POSTROUTING chain.
+
+ """
+
+ def __init__(self, execute=None):
+ if not execute:
+ self.execute = _execute
+ else:
+ self.execute = execute
+
+ self.ipv4 = {'filter': IptablesTable(),
+ 'nat': IptablesTable(),
+ 'mangle': IptablesTable()}
+ self.ipv6 = {'filter': IptablesTable()}
+
+ self.iptables_apply_deferred = False
+
+ # Add a nova-filter-top chain. It's intended to be shared
+ # among the various nova components. It sits at the very top
+ # of FORWARD and OUTPUT.
+ for tables in [self.ipv4, self.ipv6]:
+ tables['filter'].add_chain('nova-filter-top', wrap=False)
+ tables['filter'].add_rule('FORWARD', '-j nova-filter-top',
+ wrap=False, top=True)
+ tables['filter'].add_rule('OUTPUT', '-j nova-filter-top',
+ wrap=False, top=True)
+
+ tables['filter'].add_chain('local')
+ tables['filter'].add_rule('nova-filter-top', '-j $local',
+ wrap=False)
+
+ # Wrap the built-in chains
+ builtin_chains = {4: {'filter': ['INPUT', 'OUTPUT', 'FORWARD'],
+ 'nat': ['PREROUTING', 'OUTPUT', 'POSTROUTING'],
+ 'mangle': ['POSTROUTING']},
+ 6: {'filter': ['INPUT', 'OUTPUT', 'FORWARD']}}
+
+ for ip_version in builtin_chains:
+ if ip_version == 4:
+ tables = self.ipv4
+ elif ip_version == 6:
+ tables = self.ipv6
+
+ for table, chains in builtin_chains[ip_version].iteritems():
+ for chain in chains:
+ tables[table].add_chain(chain)
+ tables[table].add_rule(chain, '-j $%s' % (chain,),
+ wrap=False)
+
+ # Add a nova-postrouting-bottom chain. It's intended to be shared
+ # among the various nova components. We set it as the last chain
+ # of POSTROUTING chain.
+ self.ipv4['nat'].add_chain('nova-postrouting-bottom', wrap=False)
+ self.ipv4['nat'].add_rule('POSTROUTING', '-j nova-postrouting-bottom',
+ wrap=False)
+
+ # We add a snat chain to the shared nova-postrouting-bottom chain
+ # so that it's applied last.
+ self.ipv4['nat'].add_chain('snat')
+ self.ipv4['nat'].add_rule('nova-postrouting-bottom', '-j $snat',
+ wrap=False)
+
+ # And then we add a float-snat chain and jump to first thing in
+ # the snat chain.
+ self.ipv4['nat'].add_chain('float-snat')
+ self.ipv4['nat'].add_rule('snat', '-j $float-snat')
+
+ def defer_apply_on(self):
+ self.iptables_apply_deferred = True
+
+ def defer_apply_off(self):
+ self.iptables_apply_deferred = False
+ self.apply()
+
+ def dirty(self):
+ for table in self.ipv4.itervalues():
+ if table.dirty:
+ return True
+ if CONF.use_ipv6:
+ for table in self.ipv6.itervalues():
+ if table.dirty:
+ return True
+ return False
+
+ def apply(self):
+ if self.iptables_apply_deferred:
+ return
+ if self.dirty():
+ self._apply()
+ else:
+ LOG.debug("Skipping apply due to lack of new rules")
+
+ @utils.synchronized('iptables', external=True)
+ def _apply(self):
+ """Apply the current in-memory set of iptables rules.
+
+ This will blow away any rules left over from previous runs of the
+ same component of Nova, and replace them with our current set of
+ rules. This happens atomically, thanks to iptables-restore.
+
+ """
+ s = [('iptables', self.ipv4)]
+ if CONF.use_ipv6:
+ s += [('ip6tables', self.ipv6)]
+
+ for cmd, tables in s:
+ all_tables, _err = self.execute('%s-save' % (cmd,), '-c',
+ run_as_root=True,
+ attempts=5)
+ all_lines = all_tables.split('\n')
+ for table_name, table in tables.iteritems():
+ start, end = self._find_table(all_lines, table_name)
+ all_lines[start:end] = self._modify_rules(
+ all_lines[start:end], table, table_name)
+ table.dirty = False
+ self.execute('%s-restore' % (cmd,), '-c', run_as_root=True,
+ process_input='\n'.join(all_lines),
+ attempts=5)
+ LOG.debug("IPTablesManager.apply completed with success")
+
+ def _find_table(self, lines, table_name):
+ if len(lines) < 3:
+ # length only <2 when fake iptables
+ return (0, 0)
+ try:
+ start = lines.index('*%s' % table_name) - 1
+ except ValueError:
+ # Couldn't find table_name
+ return (0, 0)
+ end = lines[start:].index('COMMIT') + start + 2
+ return (start, end)
+
+ def _modify_rules(self, current_lines, table, table_name):
+ unwrapped_chains = table.unwrapped_chains
+ chains = table.chains
+ remove_chains = table.remove_chains
+ rules = table.rules
+ remove_rules = table.remove_rules
+
+ if not current_lines:
+ fake_table = ['#Generated by nova',
+ '*' + table_name, 'COMMIT',
+ '#Completed by nova']
+ current_lines = fake_table
+
+ # Remove any trace of our rules
+ new_filter = filter(lambda line: binary_name not in line,
+ current_lines)
+
+ top_rules = []
+ bottom_rules = []
+
+ if CONF.iptables_top_regex:
+ regex = re.compile(CONF.iptables_top_regex)
+ temp_filter = filter(lambda line: regex.search(line), new_filter)
+ for rule_str in temp_filter:
+ new_filter = filter(lambda s: s.strip() != rule_str.strip(),
+ new_filter)
+ top_rules = temp_filter
+
+ if CONF.iptables_bottom_regex:
+ regex = re.compile(CONF.iptables_bottom_regex)
+ temp_filter = filter(lambda line: regex.search(line), new_filter)
+ for rule_str in temp_filter:
+ new_filter = filter(lambda s: s.strip() != rule_str.strip(),
+ new_filter)
+ bottom_rules = temp_filter
+
+ seen_chains = False
+ rules_index = 0
+ for rules_index, rule in enumerate(new_filter):
+ if not seen_chains:
+ if rule.startswith(':'):
+ seen_chains = True
+ else:
+ if not rule.startswith(':'):
+ break
+
+ if not seen_chains:
+ rules_index = 2
+
+ our_rules = top_rules
+ bot_rules = []
+ for rule in rules:
+ rule_str = str(rule)
+ if rule.top:
+ # rule.top == True means we want this rule to be at the top.
+ # Further down, we weed out duplicates from the bottom of the
+ # list, so here we remove the dupes ahead of time.
+
+ # We don't want to remove an entry if it has non-zero
+ # [packet:byte] counts and replace it with [0:0], so let's
+ # go look for a duplicate, and over-ride our table rule if
+ # found.
+
+ # ignore [packet:byte] counts at beginning of line
+ if rule_str.startswith('['):
+ rule_str = rule_str.split(']', 1)[1]
+ dup_filter = filter(lambda s: rule_str.strip() in s.strip(),
+ new_filter)
+
+ new_filter = filter(lambda s:
+ rule_str.strip() not in s.strip(),
+ new_filter)
+ # if no duplicates, use original rule
+ if dup_filter:
+ # grab the last entry, if there is one
+ dup = dup_filter[-1]
+ rule_str = str(dup)
+ else:
+ rule_str = str(rule)
+ rule_str.strip()
+
+ our_rules += [rule_str]
+ else:
+ bot_rules += [rule_str]
+
+ our_rules += bot_rules
+
+ new_filter[rules_index:rules_index] = our_rules
+
+ new_filter[rules_index:rules_index] = [':%s - [0:0]' % (name,)
+ for name in unwrapped_chains]
+ new_filter[rules_index:rules_index] = [':%s-%s - [0:0]' %
+ (binary_name, name,)
+ for name in chains]
+
+ commit_index = new_filter.index('COMMIT')
+ new_filter[commit_index:commit_index] = bottom_rules
+ seen_lines = set()
+
+ def _weed_out_duplicates(line):
+ # ignore [packet:byte] counts at beginning of lines
+ if line.startswith('['):
+ line = line.split(']', 1)[1]
+ line = line.strip()
+ if line in seen_lines:
+ return False
+ else:
+ seen_lines.add(line)
+ return True
+
+ def _weed_out_removes(line):
+ # We need to find exact matches here
+ if line.startswith(':'):
+ # it's a chain, for example, ":nova-billing - [0:0]"
+ # strip off everything except the chain name
+ line = line.split(':')[1]
+ line = line.split('- [')[0]
+ line = line.strip()
+ for chain in remove_chains:
+ if chain == line:
+ remove_chains.remove(chain)
+ return False
+ elif line.startswith('['):
+ # it's a rule
+ # ignore [packet:byte] counts at beginning of lines
+ line = line.split(']', 1)[1]
+ line = line.strip()
+ for rule in remove_rules:
+ # ignore [packet:byte] counts at beginning of rules
+ rule_str = str(rule)
+ rule_str = rule_str.split(' ', 1)[1]
+ rule_str = rule_str.strip()
+ if rule_str == line:
+ remove_rules.remove(rule)
+ return False
+
+ # Leave it alone
+ return True
+
+ # We filter duplicates, letting the *last* occurrence take
+ # precedence. We also filter out anything in the "remove"
+ # lists.
+ new_filter.reverse()
+ new_filter = filter(_weed_out_duplicates, new_filter)
+ new_filter = filter(_weed_out_removes, new_filter)
+ new_filter.reverse()
+
+ # flush lists, just in case we didn't find something
+ remove_chains.clear()
+ for rule in remove_rules:
+ remove_rules.remove(rule)
+
+ return new_filter
+
+
+# NOTE(jkoelker) This is just a nice little stub point since mocking
+# builtins with mox is a nightmare
+def write_to_file(file, data, mode='w'):
+ with open(file, mode) as f:
+ f.write(data)
+
+
+def is_pid_cmdline_correct(pid, match):
+ """Ensure that the cmdline for a pid seems sane
+
+ Because pids are recycled, blindly killing by pid is something to
+ avoid. This provides the ability to include a substring that is
+ expected in the cmdline as a safety check.
+ """
+ try:
+ with open('/proc/%d/cmdline' % pid) as f:
+ cmdline = f.read()
+ return match in cmdline
+ except EnvironmentError:
+ return False
+
+
+def metadata_forward():
+ """Create forwarding rule for metadata."""
+ if CONF.metadata_host != '127.0.0.1':
+ iptables_manager.ipv4['nat'].add_rule('PREROUTING',
+ '-s 0.0.0.0/0 -d 169.254.169.254/32 '
+ '-p tcp -m tcp --dport 80 -j DNAT '
+ '--to-destination %s:%s' %
+ (CONF.metadata_host,
+ CONF.metadata_port))
+ else:
+ iptables_manager.ipv4['nat'].add_rule('PREROUTING',
+ '-s 0.0.0.0/0 -d 169.254.169.254/32 '
+ '-p tcp -m tcp --dport 80 '
+ '-j REDIRECT --to-ports %s' %
+ CONF.metadata_port)
+ iptables_manager.apply()
+
+
+def _iptables_dest(ip):
+ if ((netaddr.IPAddress(ip).version == 4 and ip == '127.0.0.1')
+ or ip == '::1'):
+ return '-m addrtype --dst-type LOCAL'
+ else:
+ return '-d %s' % ip
+
+
+def metadata_accept():
+ """Create the filter accept rule for metadata."""
+
+ rule = ('-p tcp -m tcp --dport %s %s -j ACCEPT' %
+ (CONF.metadata_port, _iptables_dest(CONF.metadata_host)))
+
+ if netaddr.IPAddress(CONF.metadata_host).version == 4:
+ iptables_manager.ipv4['filter'].add_rule('INPUT', rule)
+ else:
+ iptables_manager.ipv6['filter'].add_rule('INPUT', rule)
+
+ iptables_manager.apply()
+
+
+def add_snat_rule(ip_range, is_external=False):
+ if CONF.routing_source_ip:
+ if is_external:
+ if CONF.force_snat_range:
+ snat_range = CONF.force_snat_range
+ else:
+ snat_range = []
+ else:
+ snat_range = ['0.0.0.0/0']
+ for dest_range in snat_range:
+ rule = ('-s %s -d %s -j SNAT --to-source %s'
+ % (ip_range, dest_range, CONF.routing_source_ip))
+ if not is_external and CONF.public_interface:
+ rule += ' -o %s' % CONF.public_interface
+ iptables_manager.ipv4['nat'].add_rule('snat', rule)
+ iptables_manager.apply()
+
+
+def init_host(ip_range, is_external=False):
+ """Basic networking setup goes here."""
+ # NOTE(devcamcar): Cloud public SNAT entries and the default
+ # SNAT rule for outbound traffic.
+
+ add_snat_rule(ip_range, is_external)
+
+ rules = []
+ if is_external:
+ for snat_range in CONF.force_snat_range:
+ rules.append('PREROUTING -p ipv4 --ip-src %s --ip-dst %s '
+ '-j redirect --redirect-target ACCEPT' %
+ (ip_range, snat_range))
+ if rules:
+ ensure_ebtables_rules(rules, 'nat')
+
+ iptables_manager.ipv4['nat'].add_rule('POSTROUTING',
+ '-s %s -d %s/32 -j ACCEPT' %
+ (ip_range, CONF.metadata_host))
+
+ for dmz in CONF.dmz_cidr:
+ iptables_manager.ipv4['nat'].add_rule('POSTROUTING',
+ '-s %s -d %s -j ACCEPT' %
+ (ip_range, dmz))
+
+ iptables_manager.ipv4['nat'].add_rule('POSTROUTING',
+ '-s %(range)s -d %(range)s '
+ '-m conntrack ! --ctstate DNAT '
+ '-j ACCEPT' %
+ {'range': ip_range})
+ iptables_manager.apply()
+
+
+def send_arp_for_ip(ip, device, count):
+ out, err = _execute('arping', '-U', ip,
+ '-A', '-I', device,
+ '-c', str(count),
+ run_as_root=True, check_exit_code=False)
+
+ if err:
+ LOG.debug('arping error for ip %s', ip)
+
+
+def bind_floating_ip(floating_ip, device):
+ """Bind ip to public interface."""
+ _execute('ip', 'addr', 'add', str(floating_ip) + '/32',
+ 'dev', device,
+ run_as_root=True, check_exit_code=[0, 2, 254])
+
+ if CONF.send_arp_for_ha and CONF.send_arp_for_ha_count > 0:
+ send_arp_for_ip(floating_ip, device, CONF.send_arp_for_ha_count)
+
+
+def unbind_floating_ip(floating_ip, device):
+ """Unbind a public ip from public interface."""
+ _execute('ip', 'addr', 'del', str(floating_ip) + '/32',
+ 'dev', device,
+ run_as_root=True, check_exit_code=[0, 2, 254])
+
+
+def ensure_metadata_ip():
+ """Sets up local metadata ip."""
+ _execute('ip', 'addr', 'add', '169.254.169.254/32',
+ 'scope', 'link', 'dev', 'lo',
+ run_as_root=True, check_exit_code=[0, 2, 254])
+
+
+def ensure_vpn_forward(public_ip, port, private_ip):
+ """Sets up forwarding rules for vlan."""
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-d %s -p udp '
+ '--dport 1194 '
+ '-j ACCEPT' % private_ip)
+ iptables_manager.ipv4['nat'].add_rule('PREROUTING',
+ '-d %s -p udp '
+ '--dport %s -j DNAT --to %s:1194' %
+ (public_ip, port, private_ip))
+ iptables_manager.ipv4['nat'].add_rule('OUTPUT',
+ '-d %s -p udp '
+ '--dport %s -j DNAT --to %s:1194' %
+ (public_ip, port, private_ip))
+ iptables_manager.apply()
+
+
+def ensure_floating_forward(floating_ip, fixed_ip, device, network):
+ """Ensure floating ip forwarding rule."""
+ # NOTE(vish): Make sure we never have duplicate rules for the same ip
+ regex = '.*\s+%s(/32|\s+|$)' % floating_ip
+ num_rules = iptables_manager.ipv4['nat'].remove_rules_regex(regex)
+ if num_rules:
+ msg = _LW('Removed %(num)d duplicate rules for floating ip %(float)s')
+ LOG.warn(msg, {'num': num_rules, 'float': floating_ip})
+ for chain, rule in floating_forward_rules(floating_ip, fixed_ip, device):
+ iptables_manager.ipv4['nat'].add_rule(chain, rule)
+ iptables_manager.apply()
+ if device != network['bridge']:
+ ensure_ebtables_rules(*floating_ebtables_rules(fixed_ip, network))
+
+
+def remove_floating_forward(floating_ip, fixed_ip, device, network):
+ """Remove forwarding for floating ip."""
+ for chain, rule in floating_forward_rules(floating_ip, fixed_ip, device):
+ iptables_manager.ipv4['nat'].remove_rule(chain, rule)
+ iptables_manager.apply()
+ if device != network['bridge']:
+ remove_ebtables_rules(*floating_ebtables_rules(fixed_ip, network))
+
+
+def floating_ebtables_rules(fixed_ip, network):
+ """Makes sure only in-network traffic is bridged."""
+ return (['PREROUTING --logical-in %s -p ipv4 --ip-src %s '
+ '! --ip-dst %s -j redirect --redirect-target ACCEPT' %
+ (network['bridge'], fixed_ip, network['cidr'])], 'nat')
+
+
+def floating_forward_rules(floating_ip, fixed_ip, device):
+ rules = []
+ rule = '-s %s -j SNAT --to %s' % (fixed_ip, floating_ip)
+ if device:
+ rules.append(('float-snat', rule + ' -d %s' % fixed_ip))
+ rules.append(('float-snat', rule + ' -o %s' % device))
+ else:
+ rules.append(('float-snat', rule))
+ rules.append(
+ ('PREROUTING', '-d %s -j DNAT --to %s' % (floating_ip, fixed_ip)))
+ rules.append(
+ ('OUTPUT', '-d %s -j DNAT --to %s' % (floating_ip, fixed_ip)))
+ rules.append(('POSTROUTING', '-s %s -m conntrack --ctstate DNAT -j SNAT '
+ '--to-source %s' %
+ (fixed_ip, floating_ip)))
+ return rules
+
+
+def clean_conntrack(fixed_ip):
+ try:
+ _execute('conntrack', '-D', '-r', fixed_ip, run_as_root=True,
+ check_exit_code=[0, 1])
+ except processutils.ProcessExecutionError:
+ LOG.exception(_LE('Error deleting conntrack entries for %s'), fixed_ip)
+
+
+def _enable_ipv4_forwarding():
+ sysctl_key = 'net.ipv4.ip_forward'
+ stdout, stderr = _execute('sysctl', '-n', sysctl_key)
+ if stdout.strip() is not '1':
+ _execute('sysctl', '-w', '%s=1' % sysctl_key, run_as_root=True)
+
+
+@utils.synchronized('lock_gateway', external=True)
+def initialize_gateway_device(dev, network_ref):
+ if not network_ref:
+ return
+
+ _enable_ipv4_forwarding()
+
+ # NOTE(vish): The ip for dnsmasq has to be the first address on the
+ # bridge for it to respond to requests properly
+ try:
+ prefix = network_ref.cidr.prefixlen
+ except AttributeError:
+ prefix = network_ref['cidr'].rpartition('/')[2]
+
+ full_ip = '%s/%s' % (network_ref['dhcp_server'], prefix)
+ new_ip_params = [[full_ip, 'brd', network_ref['broadcast']]]
+ old_ip_params = []
+ out, err = _execute('ip', 'addr', 'show', 'dev', dev,
+ 'scope', 'global')
+ for line in out.split('\n'):
+ fields = line.split()
+ if fields and fields[0] == 'inet':
+ if fields[-2] in ('secondary', 'dynamic'):
+ ip_params = fields[1:-2]
+ else:
+ ip_params = fields[1:-1]
+ old_ip_params.append(ip_params)
+ if ip_params[0] != full_ip:
+ new_ip_params.append(ip_params)
+ if not old_ip_params or old_ip_params[0][0] != full_ip:
+ old_routes = []
+ result = _execute('ip', 'route', 'show', 'dev', dev)
+ if result:
+ out, err = result
+ for line in out.split('\n'):
+ fields = line.split()
+ if fields and 'via' in fields:
+ old_routes.append(fields)
+ _execute('ip', 'route', 'del', fields[0],
+ 'dev', dev, run_as_root=True)
+ for ip_params in old_ip_params:
+ _execute(*_ip_bridge_cmd('del', ip_params, dev),
+ run_as_root=True, check_exit_code=[0, 2, 254])
+ for ip_params in new_ip_params:
+ _execute(*_ip_bridge_cmd('add', ip_params, dev),
+ run_as_root=True, check_exit_code=[0, 2, 254])
+
+ for fields in old_routes:
+ _execute('ip', 'route', 'add', *fields,
+ run_as_root=True)
+ if CONF.send_arp_for_ha and CONF.send_arp_for_ha_count > 0:
+ send_arp_for_ip(network_ref['dhcp_server'], dev,
+ CONF.send_arp_for_ha_count)
+ if CONF.use_ipv6:
+ _execute('ip', '-f', 'inet6', 'addr',
+ 'change', network_ref['cidr_v6'],
+ 'dev', dev, run_as_root=True)
+
+
+def get_dhcp_leases(context, network_ref):
+ """Return a network's hosts config in dnsmasq leasefile format."""
+ hosts = []
+ host = None
+ if network_ref['multi_host']:
+ host = CONF.host
+ for fixedip in objects.FixedIPList.get_by_network(context,
+ network_ref,
+ host=host):
+ # NOTE(cfb): Don't return a lease entry if the IP isn't
+ # already leased
+ if fixedip.leased:
+ hosts.append(_host_lease(fixedip))
+
+ return '\n'.join(hosts)
+
+
+def get_dhcp_hosts(context, network_ref, fixedips):
+ """Get network's hosts config in dhcp-host format."""
+ hosts = []
+ macs = set()
+ for fixedip in fixedips:
+ if fixedip.allocated:
+ if fixedip.virtual_interface.address not in macs:
+ hosts.append(_host_dhcp(fixedip))
+ macs.add(fixedip.virtual_interface.address)
+ return '\n'.join(hosts)
+
+
+def get_dns_hosts(context, network_ref):
+ """Get network's DNS hosts in hosts format."""
+ hosts = []
+ for fixedip in objects.FixedIPList.get_by_network(context, network_ref):
+ if fixedip.allocated:
+ hosts.append(_host_dns(fixedip))
+ return '\n'.join(hosts)
+
+
+def _add_dnsmasq_accept_rules(dev):
+ """Allow DHCP and DNS traffic through to dnsmasq."""
+ table = iptables_manager.ipv4['filter']
+ for port in [67, 53]:
+ for proto in ['udp', 'tcp']:
+ args = {'dev': dev, 'port': port, 'proto': proto}
+ table.add_rule('INPUT',
+ '-i %(dev)s -p %(proto)s -m %(proto)s '
+ '--dport %(port)s -j ACCEPT' % args)
+ iptables_manager.apply()
+
+
+def _remove_dnsmasq_accept_rules(dev):
+ """Remove DHCP and DNS traffic allowed through to dnsmasq."""
+ table = iptables_manager.ipv4['filter']
+ for port in [67, 53]:
+ for proto in ['udp', 'tcp']:
+ args = {'dev': dev, 'port': port, 'proto': proto}
+ table.remove_rule('INPUT',
+ '-i %(dev)s -p %(proto)s -m %(proto)s '
+ '--dport %(port)s -j ACCEPT' % args)
+ iptables_manager.apply()
+
+
+# NOTE(russellb) Curious why this is needed? Check out this explanation from
+# markmc: https://bugzilla.redhat.com/show_bug.cgi?id=910619#c6
+def _add_dhcp_mangle_rule(dev):
+ table = iptables_manager.ipv4['mangle']
+ table.add_rule('POSTROUTING',
+ '-o %s -p udp -m udp --dport 68 -j CHECKSUM '
+ '--checksum-fill' % dev)
+ iptables_manager.apply()
+
+
+def _remove_dhcp_mangle_rule(dev):
+ table = iptables_manager.ipv4['mangle']
+ table.remove_rule('POSTROUTING',
+ '-o %s -p udp -m udp --dport 68 -j CHECKSUM '
+ '--checksum-fill' % dev)
+ iptables_manager.apply()
+
+
+def get_dhcp_opts(context, network_ref, fixedips):
+ """Get network's hosts config in dhcp-opts format."""
+ gateway = network_ref['gateway']
+ # NOTE(vish): if we are in multi-host mode and we are not sharing
+ # addresses, then we actually need to hand out the
+ # dhcp server address as the gateway.
+ if network_ref['multi_host'] and not (network_ref['share_address'] or
+ CONF.share_dhcp_address):
+ gateway = network_ref['dhcp_server']
+ hosts = []
+ if CONF.use_single_default_gateway:
+ for fixedip in fixedips:
+ if fixedip.allocated:
+ vif_id = fixedip.virtual_interface_id
+ if fixedip.default_route:
+ hosts.append(_host_dhcp_opts(vif_id, gateway))
+ else:
+ hosts.append(_host_dhcp_opts(vif_id))
+ else:
+ hosts.append(_host_dhcp_opts(None, gateway))
+ return '\n'.join(hosts)
+
+
+def release_dhcp(dev, address, mac_address):
+ if device_exists(dev):
+ try:
+ utils.execute('dhcp_release', dev, address, mac_address,
+ run_as_root=True)
+ except processutils.ProcessExecutionError:
+ raise exception.NetworkDhcpReleaseFailed(address=address,
+ mac_address=mac_address)
+
+
+def update_dhcp(context, dev, network_ref):
+ conffile = _dhcp_file(dev, 'conf')
+ host = None
+ if network_ref['multi_host']:
+ host = CONF.host
+ fixedips = objects.FixedIPList.get_by_network(context,
+ network_ref,
+ host=host)
+ write_to_file(conffile, get_dhcp_hosts(context, network_ref, fixedips))
+ restart_dhcp(context, dev, network_ref, fixedips)
+
+
+def update_dns(context, dev, network_ref):
+ hostsfile = _dhcp_file(dev, 'hosts')
+ host = None
+ if network_ref['multi_host']:
+ host = CONF.host
+ fixedips = objects.FixedIPList.get_by_network(context,
+ network_ref,
+ host=host)
+ write_to_file(hostsfile, get_dns_hosts(context, network_ref))
+ restart_dhcp(context, dev, network_ref, fixedips)
+
+
+def update_dhcp_hostfile_with_text(dev, hosts_text):
+ conffile = _dhcp_file(dev, 'conf')
+ write_to_file(conffile, hosts_text)
+
+
+def kill_dhcp(dev):
+ pid = _dnsmasq_pid_for(dev)
+ if pid:
+ # Check that the process exists and looks like a dnsmasq process
+ conffile = _dhcp_file(dev, 'conf')
+ if is_pid_cmdline_correct(pid, conffile.split('/')[-1]):
+ _execute('kill', '-9', pid, run_as_root=True)
+ else:
+ LOG.debug('Pid %d is stale, skip killing dnsmasq', pid)
+ _remove_dnsmasq_accept_rules(dev)
+ _remove_dhcp_mangle_rule(dev)
+
+
+# NOTE(ja): Sending a HUP only reloads the hostfile, so any
+# configuration options (like dchp-range, vlan, ...)
+# aren't reloaded.
+@utils.synchronized('dnsmasq_start')
+def restart_dhcp(context, dev, network_ref, fixedips):
+ """(Re)starts a dnsmasq server for a given network.
+
+ If a dnsmasq instance is already running then send a HUP
+ signal causing it to reload, otherwise spawn a new instance.
+
+ """
+ conffile = _dhcp_file(dev, 'conf')
+
+ optsfile = _dhcp_file(dev, 'opts')
+ write_to_file(optsfile, get_dhcp_opts(context, network_ref, fixedips))
+ os.chmod(optsfile, 0o644)
+
+ _add_dhcp_mangle_rule(dev)
+
+ # Make sure dnsmasq can actually read it (it setuid()s to "nobody")
+ os.chmod(conffile, 0o644)
+
+ pid = _dnsmasq_pid_for(dev)
+
+ # if dnsmasq is already running, then tell it to reload
+ if pid:
+ if is_pid_cmdline_correct(pid, conffile.split('/')[-1]):
+ try:
+ _execute('kill', '-HUP', pid, run_as_root=True)
+ _add_dnsmasq_accept_rules(dev)
+ return
+ except Exception as exc:
+ LOG.error(_LE('kill -HUP dnsmasq threw %s'), exc)
+ else:
+ LOG.debug('Pid %d is stale, relaunching dnsmasq', pid)
+
+ cmd = ['env',
+ 'CONFIG_FILE=%s' % jsonutils.dumps(CONF.dhcpbridge_flagfile),
+ 'NETWORK_ID=%s' % str(network_ref['id']),
+ 'dnsmasq',
+ '--strict-order',
+ '--bind-interfaces',
+ '--conf-file=%s' % CONF.dnsmasq_config_file,
+ '--pid-file=%s' % _dhcp_file(dev, 'pid'),
+ '--dhcp-optsfile=%s' % _dhcp_file(dev, 'opts'),
+ '--listen-address=%s' % network_ref['dhcp_server'],
+ '--except-interface=lo',
+ '--dhcp-range=set:%s,%s,static,%s,%ss' %
+ (network_ref['label'],
+ network_ref['dhcp_start'],
+ network_ref['netmask'],
+ CONF.dhcp_lease_time),
+ '--dhcp-lease-max=%s' % len(netaddr.IPNetwork(network_ref['cidr'])),
+ '--dhcp-hostsfile=%s' % _dhcp_file(dev, 'conf'),
+ '--dhcp-script=%s' % CONF.dhcpbridge,
+ '--no-hosts',
+ '--leasefile-ro']
+
+ # dnsmasq currently gives an error for an empty domain,
+ # rather than ignoring. So only specify it if defined.
+ if CONF.dhcp_domain:
+ cmd.append('--domain=%s' % CONF.dhcp_domain)
+
+ dns_servers = CONF.dns_server
+ if CONF.use_network_dns_servers:
+ if network_ref.get('dns1'):
+ dns_servers.append(network_ref.get('dns1'))
+ if network_ref.get('dns2'):
+ dns_servers.append(network_ref.get('dns2'))
+ if network_ref['multi_host']:
+ cmd.append('--addn-hosts=%s' % _dhcp_file(dev, 'hosts'))
+ if dns_servers:
+ cmd.append('--no-resolv')
+ for dns_server in dns_servers:
+ cmd.append('--server=%s' % dns_server)
+
+ _execute(*cmd, run_as_root=True)
+
+ _add_dnsmasq_accept_rules(dev)
+
+
+@utils.synchronized('radvd_start')
+def update_ra(context, dev, network_ref):
+ conffile = _ra_file(dev, 'conf')
+ conf_str = """
+interface %s
+{
+ AdvSendAdvert on;
+ MinRtrAdvInterval 3;
+ MaxRtrAdvInterval 10;
+ prefix %s
+ {
+ AdvOnLink on;
+ AdvAutonomous on;
+ };
+};
+""" % (dev, network_ref['cidr_v6'])
+ write_to_file(conffile, conf_str)
+
+ # Make sure radvd can actually read it (it setuid()s to "nobody")
+ os.chmod(conffile, 0o644)
+
+ pid = _ra_pid_for(dev)
+
+ # if radvd is already running, then tell it to reload
+ if pid:
+ if is_pid_cmdline_correct(pid, conffile):
+ try:
+ _execute('kill', pid, run_as_root=True)
+ except Exception as exc:
+ LOG.error(_LE('killing radvd threw %s'), exc)
+ else:
+ LOG.debug('Pid %d is stale, relaunching radvd', pid)
+
+ cmd = ['radvd',
+ '-C', '%s' % _ra_file(dev, 'conf'),
+ '-p', '%s' % _ra_file(dev, 'pid')]
+
+ _execute(*cmd, run_as_root=True)
+
+
+def _host_lease(fixedip):
+ """Return a host string for an address in leasefile format."""
+ timestamp = timeutils.utcnow()
+ seconds_since_epoch = calendar.timegm(timestamp.utctimetuple())
+ return '%d %s %s %s *' % (seconds_since_epoch + CONF.dhcp_lease_time,
+ fixedip.virtual_interface.address,
+ fixedip.address,
+ fixedip.instance.hostname or '*')
+
+
+def _host_dhcp_network(vif_id):
+ return 'NW-%s' % vif_id
+
+
+def _host_dhcp(fixedip):
+ """Return a host string for an address in dhcp-host format."""
+ # NOTE(cfb): dnsmasq on linux only supports 64 characters in the hostname
+ # field (LP #1238910). Since the . counts as a character we need
+ # to truncate the hostname to only 63 characters.
+ hostname = fixedip.instance.hostname
+ if len(hostname) > 63:
+ LOG.warning(_LW('hostname %s too long, truncating.') % (hostname))
+ hostname = fixedip.instance.hostname[:2] + '-' +\
+ fixedip.instance.hostname[-60:]
+ if CONF.use_single_default_gateway:
+ net = _host_dhcp_network(fixedip.virtual_interface_id)
+ return '%s,%s.%s,%s,net:%s' % (fixedip.virtual_interface.address,
+ hostname,
+ CONF.dhcp_domain,
+ fixedip.address,
+ net)
+ else:
+ return '%s,%s.%s,%s' % (fixedip.virtual_interface.address,
+ hostname,
+ CONF.dhcp_domain,
+ fixedip.address)
+
+
+def _host_dns(fixedip):
+ return '%s\t%s.%s' % (fixedip.address,
+ fixedip.instance.hostname,
+ CONF.dhcp_domain)
+
+
+def _host_dhcp_opts(vif_id=None, gateway=None):
+ """Return an empty gateway option."""
+ values = []
+ if vif_id is not None:
+ values.append(_host_dhcp_network(vif_id))
+ # NOTE(vish): 3 is the dhcp option for gateway.
+ values.append('3')
+ if gateway:
+ values.append('%s' % gateway)
+ return ','.join(values)
+
+
+def _execute(*cmd, **kwargs):
+ """Wrapper around utils._execute for fake_network."""
+ if CONF.fake_network:
+ LOG.debug('FAKE NET: %s', ' '.join(map(str, cmd)))
+ return 'fake', 0
+ else:
+ return utils.execute(*cmd, **kwargs)
+
+
+def device_exists(device):
+ """Check if ethernet device exists."""
+ return os.path.exists('/sys/class/net/%s' % device)
+
+
+def _dhcp_file(dev, kind):
+ """Return path to a pid, leases, hosts or conf file for a bridge/device."""
+ fileutils.ensure_tree(CONF.networks_path)
+ return os.path.abspath('%s/nova-%s.%s' % (CONF.networks_path,
+ dev,
+ kind))
+
+
+def _ra_file(dev, kind):
+ """Return path to a pid or conf file for a bridge/device."""
+ fileutils.ensure_tree(CONF.networks_path)
+ return os.path.abspath('%s/nova-ra-%s.%s' % (CONF.networks_path,
+ dev,
+ kind))
+
+
+def _dnsmasq_pid_for(dev):
+ """Returns the pid for prior dnsmasq instance for a bridge/device.
+
+ Returns None if no pid file exists.
+
+ If machine has rebooted pid might be incorrect (caller should check).
+
+ """
+ pid_file = _dhcp_file(dev, 'pid')
+
+ if os.path.exists(pid_file):
+ try:
+ with open(pid_file, 'r') as f:
+ return int(f.read())
+ except (ValueError, IOError):
+ return None
+
+
+def _ra_pid_for(dev):
+ """Returns the pid for prior radvd instance for a bridge/device.
+
+ Returns None if no pid file exists.
+
+ If machine has rebooted pid might be incorrect (caller should check).
+
+ """
+ pid_file = _ra_file(dev, 'pid')
+
+ if os.path.exists(pid_file):
+ with open(pid_file, 'r') as f:
+ return int(f.read())
+
+
+def _ip_bridge_cmd(action, params, device):
+ """Build commands to add/del ips to bridges/devices."""
+ cmd = ['ip', 'addr', action]
+ cmd.extend(params)
+ cmd.extend(['dev', device])
+ return cmd
+
+
+def _set_device_mtu(dev, mtu=None):
+ """Set the device MTU."""
+
+ if not mtu:
+ mtu = CONF.network_device_mtu
+ if mtu:
+ utils.execute('ip', 'link', 'set', dev, 'mtu',
+ mtu, run_as_root=True,
+ check_exit_code=[0, 1, 2, 254])
+
+
+def _create_veth_pair(dev1_name, dev2_name):
+ """Create a pair of veth devices with the specified names,
+ deleting any previous devices with those names.
+ """
+ for dev in [dev1_name, dev2_name]:
+ delete_net_dev(dev)
+
+ utils.execute('ip', 'link', 'add', dev1_name, 'type', 'veth', 'peer',
+ 'name', dev2_name, run_as_root=True)
+ for dev in [dev1_name, dev2_name]:
+ utils.execute('ip', 'link', 'set', dev, 'up', run_as_root=True)
+ utils.execute('ip', 'link', 'set', dev, 'promisc', 'on',
+ run_as_root=True)
+ _set_device_mtu(dev)
+
+
+def _ovs_vsctl(args):
+ full_args = ['ovs-vsctl', '--timeout=%s' % CONF.ovs_vsctl_timeout] + args
+ try:
+ return utils.execute(*full_args, run_as_root=True)
+ except Exception as e:
+ LOG.error(_LE("Unable to execute %(cmd)s. Exception: %(exception)s"),
+ {'cmd': full_args, 'exception': e})
+ raise exception.AgentError(method=full_args)
+
+
+def create_ovs_vif_port(bridge, dev, iface_id, mac, instance_id):
+ _ovs_vsctl(['--', '--if-exists', 'del-port', dev, '--',
+ 'add-port', bridge, dev,
+ '--', 'set', 'Interface', dev,
+ 'external-ids:iface-id=%s' % iface_id,
+ 'external-ids:iface-status=active',
+ 'external-ids:attached-mac=%s' % mac,
+ 'external-ids:vm-uuid=%s' % instance_id])
+ _set_device_mtu(dev)
+
+
+def delete_ovs_vif_port(bridge, dev):
+ _ovs_vsctl(['--', '--if-exists', 'del-port', bridge, dev])
+ delete_net_dev(dev)
+
+
+def ovs_set_vhostuser_port_type(dev):
+ _ovs_vsctl(['--', 'set', 'Interface', dev, 'type=dpdkvhostuser'])
+
+
+def create_ivs_vif_port(dev, iface_id, mac, instance_id):
+ utils.execute('ivs-ctl', 'add-port',
+ dev, run_as_root=True)
+
+
+def delete_ivs_vif_port(dev):
+ utils.execute('ivs-ctl', 'del-port', dev,
+ run_as_root=True)
+ utils.execute('ip', 'link', 'delete', dev,
+ run_as_root=True)
+
+
+def create_tap_dev(dev, mac_address=None):
+ if not device_exists(dev):
+ try:
+ # First, try with 'ip'
+ utils.execute('ip', 'tuntap', 'add', dev, 'mode', 'tap',
+ run_as_root=True, check_exit_code=[0, 2, 254])
+ except processutils.ProcessExecutionError:
+ # Second option: tunctl
+ utils.execute('tunctl', '-b', '-t', dev, run_as_root=True)
+ if mac_address:
+ utils.execute('ip', 'link', 'set', dev, 'address', mac_address,
+ run_as_root=True, check_exit_code=[0, 2, 254])
+ utils.execute('ip', 'link', 'set', dev, 'up', run_as_root=True,
+ check_exit_code=[0, 2, 254])
+
+
+def delete_net_dev(dev):
+ """Delete a network device only if it exists."""
+ if device_exists(dev):
+ try:
+ utils.execute('ip', 'link', 'delete', dev, run_as_root=True,
+ check_exit_code=[0, 2, 254])
+ LOG.debug("Net device removed: '%s'", dev)
+ except processutils.ProcessExecutionError:
+ with excutils.save_and_reraise_exception():
+ LOG.error(_LE("Failed removing net device: '%s'"), dev)
+
+
+def delete_bridge_dev(dev):
+ """Delete a network bridge."""
+ if device_exists(dev):
+ try:
+ utils.execute('ip', 'link', 'set', dev, 'down', run_as_root=True)
+ utils.execute('brctl', 'delbr', dev, run_as_root=True)
+ except processutils.ProcessExecutionError:
+ with excutils.save_and_reraise_exception():
+ LOG.error(_LE("Failed removing bridge device: '%s'"), dev)
+
+
+# Similar to compute virt layers, the Linux network node
+# code uses a flexible driver model to support different ways
+# of creating ethernet interfaces and attaching them to the network.
+# In the case of a network host, these interfaces
+# act as gateway/dhcp/vpn/etc. endpoints not VM interfaces.
+interface_driver = None
+
+
+def _get_interface_driver():
+ global interface_driver
+ if not interface_driver:
+ interface_driver = importutils.import_object(
+ CONF.linuxnet_interface_driver)
+ return interface_driver
+
+
+def plug(network, mac_address, gateway=True):
+ return _get_interface_driver().plug(network, mac_address, gateway)
+
+
+def unplug(network):
+ return _get_interface_driver().unplug(network)
+
+
+def get_dev(network):
+ return _get_interface_driver().get_dev(network)
+
+
+class LinuxNetInterfaceDriver(object):
+ """Abstract class that defines generic network host API
+ for all Linux interface drivers.
+ """
+
+ def plug(self, network, mac_address):
+ """Create Linux device, return device name."""
+ raise NotImplementedError()
+
+ def unplug(self, network):
+ """Destroy Linux device, return device name."""
+ raise NotImplementedError()
+
+ def get_dev(self, network):
+ """Get device name."""
+ raise NotImplementedError()
+
+
+# plugs interfaces using Linux Bridge
+class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver):
+
+ def plug(self, network, mac_address, gateway=True):
+ vlan = network.get('vlan')
+ if vlan is not None:
+ iface = CONF.vlan_interface or network['bridge_interface']
+ LinuxBridgeInterfaceDriver.ensure_vlan_bridge(
+ vlan,
+ network['bridge'],
+ iface,
+ network,
+ mac_address,
+ network.get('mtu'))
+ iface = 'vlan%s' % vlan
+ else:
+ iface = CONF.flat_interface or network['bridge_interface']
+ LinuxBridgeInterfaceDriver.ensure_bridge(
+ network['bridge'],
+ iface,
+ network, gateway)
+
+ if network['share_address'] or CONF.share_dhcp_address:
+ isolate_dhcp_address(iface, network['dhcp_server'])
+ # NOTE(vish): applying here so we don't get a lock conflict
+ iptables_manager.apply()
+ return network['bridge']
+
+ def unplug(self, network, gateway=True):
+ vlan = network.get('vlan')
+ if vlan is not None:
+ iface = 'vlan%s' % vlan
+ LinuxBridgeInterfaceDriver.remove_vlan_bridge(vlan,
+ network['bridge'])
+ else:
+ iface = CONF.flat_interface or network['bridge_interface']
+ LinuxBridgeInterfaceDriver.remove_bridge(network['bridge'],
+ gateway)
+
+ if network['share_address'] or CONF.share_dhcp_address:
+ remove_isolate_dhcp_address(iface, network['dhcp_server'])
+
+ iptables_manager.apply()
+ return self.get_dev(network)
+
+ def get_dev(self, network):
+ return network['bridge']
+
+ @staticmethod
+ def ensure_vlan_bridge(vlan_num, bridge, bridge_interface,
+ net_attrs=None, mac_address=None,
+ mtu=None):
+ """Create a vlan and bridge unless they already exist."""
+ interface = LinuxBridgeInterfaceDriver.ensure_vlan(vlan_num,
+ bridge_interface, mac_address,
+ mtu)
+ LinuxBridgeInterfaceDriver.ensure_bridge(bridge, interface, net_attrs)
+ return interface
+
+ @staticmethod
+ def remove_vlan_bridge(vlan_num, bridge):
+ """Delete a bridge and vlan."""
+ LinuxBridgeInterfaceDriver.remove_bridge(bridge)
+ LinuxBridgeInterfaceDriver.remove_vlan(vlan_num)
+
+ @staticmethod
+ @utils.synchronized('lock_vlan', external=True)
+ def ensure_vlan(vlan_num, bridge_interface, mac_address=None, mtu=None):
+ """Create a vlan unless it already exists."""
+ interface = 'vlan%s' % vlan_num
+ if not device_exists(interface):
+ LOG.debug('Starting VLAN interface %s', interface)
+ _execute('ip', 'link', 'add', 'link', bridge_interface,
+ 'name', interface, 'type', 'vlan',
+ 'id', vlan_num, run_as_root=True,
+ check_exit_code=[0, 2, 254])
+ # (danwent) the bridge will inherit this address, so we want to
+ # make sure it is the value set from the NetworkManager
+ if mac_address:
+ _execute('ip', 'link', 'set', interface, 'address',
+ mac_address, run_as_root=True,
+ check_exit_code=[0, 2, 254])
+ _execute('ip', 'link', 'set', interface, 'up', run_as_root=True,
+ check_exit_code=[0, 2, 254])
+ # NOTE(vish): set mtu every time to ensure that changes to mtu get
+ # propogated
+ _set_device_mtu(interface, mtu)
+ return interface
+
+ @staticmethod
+ @utils.synchronized('lock_vlan', external=True)
+ def remove_vlan(vlan_num):
+ """Delete a vlan."""
+ vlan_interface = 'vlan%s' % vlan_num
+ delete_net_dev(vlan_interface)
+
+ @staticmethod
+ @utils.synchronized('lock_bridge', external=True)
+ def ensure_bridge(bridge, interface, net_attrs=None, gateway=True,
+ filtering=True):
+ """Create a bridge unless it already exists.
+
+ :param interface: the interface to create the bridge on.
+ :param net_attrs: dictionary with attributes used to create bridge.
+ :param gateway: whether or not the bridge is a gateway.
+ :param filtering: whether or not to create filters on the bridge.
+
+ If net_attrs is set, it will add the net_attrs['gateway'] to the bridge
+ using net_attrs['broadcast'] and net_attrs['cidr']. It will also add
+ the ip_v6 address specified in net_attrs['cidr_v6'] if use_ipv6 is set.
+
+ The code will attempt to move any ips that already exist on the
+ interface onto the bridge and reset the default gateway if necessary.
+
+ """
+ if not device_exists(bridge):
+ LOG.debug('Starting Bridge %s', bridge)
+ _execute('brctl', 'addbr', bridge, run_as_root=True)
+ _execute('brctl', 'setfd', bridge, 0, run_as_root=True)
+ # _execute('brctl setageing %s 10' % bridge, run_as_root=True)
+ _execute('brctl', 'stp', bridge, 'off', run_as_root=True)
+ # (danwent) bridge device MAC address can't be set directly.
+ # instead it inherits the MAC address of the first device on the
+ # bridge, which will either be the vlan interface, or a
+ # physical NIC.
+ _execute('ip', 'link', 'set', bridge, 'up', run_as_root=True)
+
+ if interface:
+ LOG.debug('Adding interface %(interface)s to bridge %(bridge)s',
+ {'interface': interface, 'bridge': bridge})
+ out, err = _execute('brctl', 'addif', bridge, interface,
+ check_exit_code=False, run_as_root=True)
+ if (err and err != "device %s is already a member of a bridge; "
+ "can't enslave it to bridge %s.\n" % (interface, bridge)):
+ msg = _('Failed to add interface: %s') % err
+ raise exception.NovaException(msg)
+
+ out, err = _execute('ip', 'link', 'set', interface, 'up',
+ check_exit_code=False, run_as_root=True)
+
+ # NOTE(vish): This will break if there is already an ip on the
+ # interface, so we move any ips to the bridge
+ # NOTE(danms): We also need to copy routes to the bridge so as
+ # not to break existing connectivity on the interface
+ old_routes = []
+ out, err = _execute('ip', 'route', 'show', 'dev', interface)
+ for line in out.split('\n'):
+ fields = line.split()
+ if fields and 'via' in fields:
+ old_routes.append(fields)
+ _execute('ip', 'route', 'del', *fields,
+ run_as_root=True)
+ out, err = _execute('ip', 'addr', 'show', 'dev', interface,
+ 'scope', 'global')
+ for line in out.split('\n'):
+ fields = line.split()
+ if fields and fields[0] == 'inet':
+ if fields[-2] in ('secondary', 'dynamic', ):
+ params = fields[1:-2]
+ else:
+ params = fields[1:-1]
+ _execute(*_ip_bridge_cmd('del', params, fields[-1]),
+ run_as_root=True, check_exit_code=[0, 2, 254])
+ _execute(*_ip_bridge_cmd('add', params, bridge),
+ run_as_root=True, check_exit_code=[0, 2, 254])
+ for fields in old_routes:
+ _execute('ip', 'route', 'add', *fields,
+ run_as_root=True)
+
+ if filtering:
+ # Don't forward traffic unless we were told to be a gateway
+ ipv4_filter = iptables_manager.ipv4['filter']
+ if gateway:
+ for rule in get_gateway_rules(bridge):
+ ipv4_filter.add_rule(*rule)
+ else:
+ ipv4_filter.add_rule('FORWARD',
+ ('--in-interface %s -j %s'
+ % (bridge, CONF.iptables_drop_action)))
+ ipv4_filter.add_rule('FORWARD',
+ ('--out-interface %s -j %s'
+ % (bridge, CONF.iptables_drop_action)))
+
+ @staticmethod
+ @utils.synchronized('lock_bridge', external=True)
+ def remove_bridge(bridge, gateway=True, filtering=True):
+ """Delete a bridge."""
+ if not device_exists(bridge):
+ return
+ else:
+ if filtering:
+ ipv4_filter = iptables_manager.ipv4['filter']
+ if gateway:
+ for rule in get_gateway_rules(bridge):
+ ipv4_filter.remove_rule(*rule)
+ else:
+ drop_actions = ['DROP']
+ if CONF.iptables_drop_action != 'DROP':
+ drop_actions.append(CONF.iptables_drop_action)
+
+ for drop_action in drop_actions:
+ ipv4_filter.remove_rule('FORWARD',
+ ('--in-interface %s -j %s'
+ % (bridge, drop_action)))
+ ipv4_filter.remove_rule('FORWARD',
+ ('--out-interface %s -j %s'
+ % (bridge, drop_action)))
+ delete_bridge_dev(bridge)
+
+
+# NOTE(cfb): This is a temporary fix to LP #1316621. We really want to call
+# ebtables with --concurrent. In order to do that though we need
+# libvirt to support this. Additionally since ebtables --concurrent
+# will hang indefinitely waiting on the lock we need to teach
+# oslo_concurrency.processutils how to timeout a long running
+# process first. Once those are complete we can replace all of this
+# with calls to ebtables --concurrent and a reasonable timeout.
+def _exec_ebtables(*cmd, **kwargs):
+ check_exit_code = kwargs.pop('check_exit_code', True)
+
+ # List of error strings to re-try.
+ retry_strings = (
+ 'Multiple ebtables programs',
+ )
+
+ # We always try at least once
+ attempts = CONF.ebtables_exec_attempts
+ if attempts <= 0:
+ attempts = 1
+ count = 1
+ while count <= attempts:
+ # Updated our counters if needed
+ sleep = CONF.ebtables_retry_interval * count
+ count += 1
+ # NOTE(cfb): ebtables reports all errors with a return code of 255.
+ # As such we can't know if we hit a locking error, or some
+ # other error (like a rule doesn't exist) so we have to
+ # to parse stderr.
+ try:
+ _execute(*cmd, check_exit_code=[0], **kwargs)
+ except processutils.ProcessExecutionError as exc:
+ # See if we can retry the error.
+ if any(error in exc.stderr for error in retry_strings):
+ if count > attempts and check_exit_code:
+ LOG.warning(_LW('%s failed. Not Retrying.'), ' '.join(cmd))
+ raise
+ else:
+ # We need to sleep a bit before retrying
+ LOG.warning(_LW("%(cmd)s failed. Sleeping %(time)s "
+ "seconds before retry."),
+ {'cmd': ' '.join(cmd), 'time': sleep})
+ time.sleep(sleep)
+ else:
+ # Not eligible for retry
+ if check_exit_code:
+ LOG.warning(_LW('%s failed. Not Retrying.'), ' '.join(cmd))
+ raise
+ else:
+ return
+ else:
+ # Success
+ return
+
+
+@utils.synchronized('ebtables', external=True)
+def ensure_ebtables_rules(rules, table='filter'):
+ for rule in rules:
+ cmd = ['ebtables', '-t', table, '-D'] + rule.split()
+ _exec_ebtables(*cmd, check_exit_code=False, run_as_root=True)
+ cmd[3] = '-I'
+ _exec_ebtables(*cmd, run_as_root=True)
+
+
+@utils.synchronized('ebtables', external=True)
+def remove_ebtables_rules(rules, table='filter'):
+ for rule in rules:
+ cmd = ['ebtables', '-t', table, '-D'] + rule.split()
+ _exec_ebtables(*cmd, check_exit_code=False, run_as_root=True)
+
+
+def isolate_dhcp_address(interface, address):
+ # block arp traffic to address across the interface
+ rules = []
+ rules.append('INPUT -p ARP -i %s --arp-ip-dst %s -j DROP'
+ % (interface, address))
+ rules.append('OUTPUT -p ARP -o %s --arp-ip-src %s -j DROP'
+ % (interface, address))
+ rules.append('FORWARD -p IPv4 -i %s --ip-protocol udp '
+ '--ip-destination-port 67:68 -j DROP'
+ % interface)
+ rules.append('FORWARD -p IPv4 -o %s --ip-protocol udp '
+ '--ip-destination-port 67:68 -j DROP'
+ % interface)
+ # NOTE(vish): the above is not possible with iptables/arptables
+ ensure_ebtables_rules(rules)
+
+
+def remove_isolate_dhcp_address(interface, address):
+ # block arp traffic to address across the interface
+ rules = []
+ rules.append('INPUT -p ARP -i %s --arp-ip-dst %s -j DROP'
+ % (interface, address))
+ rules.append('OUTPUT -p ARP -o %s --arp-ip-src %s -j DROP'
+ % (interface, address))
+ rules.append('FORWARD -p IPv4 -i %s --ip-protocol udp '
+ '--ip-destination-port 67:68 -j DROP'
+ % interface)
+ rules.append('FORWARD -p IPv4 -o %s --ip-protocol udp '
+ '--ip-destination-port 67:68 -j DROP'
+ % interface)
+ remove_ebtables_rules(rules)
+ # NOTE(vish): the above is not possible with iptables/arptables
+
+
+def get_gateway_rules(bridge):
+ interfaces = CONF.forward_bridge_interface
+ if 'all' in interfaces:
+ return [('FORWARD', '-i %s -j ACCEPT' % bridge),
+ ('FORWARD', '-o %s -j ACCEPT' % bridge)]
+ rules = []
+ for iface in CONF.forward_bridge_interface:
+ if iface:
+ rules.append(('FORWARD', '-i %s -o %s -j ACCEPT' % (bridge,
+ iface)))
+ rules.append(('FORWARD', '-i %s -o %s -j ACCEPT' % (iface,
+ bridge)))
+ rules.append(('FORWARD', '-i %s -o %s -j ACCEPT' % (bridge, bridge)))
+ rules.append(('FORWARD', '-i %s -j %s' % (bridge,
+ CONF.iptables_drop_action)))
+ rules.append(('FORWARD', '-o %s -j %s' % (bridge,
+ CONF.iptables_drop_action)))
+ return rules
+
+
+# plugs interfaces using Open vSwitch
+class LinuxOVSInterfaceDriver(LinuxNetInterfaceDriver):
+
+ def plug(self, network, mac_address, gateway=True):
+ dev = self.get_dev(network)
+ if not device_exists(dev):
+ bridge = CONF.linuxnet_ovs_integration_bridge
+ _ovs_vsctl(['--', '--may-exist', 'add-port', bridge, dev,
+ '--', 'set', 'Interface', dev, 'type=internal',
+ '--', 'set', 'Interface', dev,
+ 'external-ids:iface-id=%s' % dev,
+ '--', 'set', 'Interface', dev,
+ 'external-ids:iface-status=active',
+ '--', 'set', 'Interface', dev,
+ 'external-ids:attached-mac=%s' % mac_address])
+ _execute('ip', 'link', 'set', dev, 'address', mac_address,
+ run_as_root=True)
+ _set_device_mtu(dev, network.get('mtu'))
+ _execute('ip', 'link', 'set', dev, 'up', run_as_root=True)
+ if not gateway:
+ # If we weren't instructed to act as a gateway then add the
+ # appropriate flows to block all non-dhcp traffic.
+ _execute('ovs-ofctl',
+ 'add-flow', bridge, 'priority=1,actions=drop',
+ run_as_root=True)
+ _execute('ovs-ofctl', 'add-flow', bridge,
+ 'udp,tp_dst=67,dl_dst=%s,priority=2,actions=normal' %
+ mac_address, run_as_root=True)
+ # .. and make sure iptbles won't forward it as well.
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '--in-interface %s -j %s' % (bridge,
+ CONF.iptables_drop_action))
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '--out-interface %s -j %s' % (bridge,
+ CONF.iptables_drop_action))
+ else:
+ for rule in get_gateway_rules(bridge):
+ iptables_manager.ipv4['filter'].add_rule(*rule)
+
+ return dev
+
+ def unplug(self, network):
+ dev = self.get_dev(network)
+ bridge = CONF.linuxnet_ovs_integration_bridge
+ _ovs_vsctl(['--', '--if-exists', 'del-port', bridge, dev])
+ return dev
+
+ def get_dev(self, network):
+ dev = 'gw-' + str(network['uuid'][0:11])
+ return dev
+
+
+# plugs interfaces using Linux Bridge when using NeutronManager
+class NeutronLinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver):
+
+ BRIDGE_NAME_PREFIX = 'brq'
+ GATEWAY_INTERFACE_PREFIX = 'gw-'
+
+ def plug(self, network, mac_address, gateway=True):
+ dev = self.get_dev(network)
+ bridge = self.get_bridge(network)
+ if not gateway:
+ # If we weren't instructed to act as a gateway then add the
+ # appropriate flows to block all non-dhcp traffic.
+ # .. and make sure iptbles won't forward it as well.
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ ('--in-interface %s -j %s'
+ % (bridge, CONF.iptables_drop_action)))
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ ('--out-interface %s -j %s'
+ % (bridge, CONF.iptables_drop_action)))
+ return bridge
+ else:
+ for rule in get_gateway_rules(bridge):
+ iptables_manager.ipv4['filter'].add_rule(*rule)
+
+ create_tap_dev(dev, mac_address)
+
+ if not device_exists(bridge):
+ LOG.debug("Starting bridge %s ", bridge)
+ utils.execute('brctl', 'addbr', bridge, run_as_root=True)
+ utils.execute('brctl', 'setfd', bridge, str(0), run_as_root=True)
+ utils.execute('brctl', 'stp', bridge, 'off', run_as_root=True)
+ utils.execute('ip', 'link', 'set', bridge, 'address', mac_address,
+ run_as_root=True, check_exit_code=[0, 2, 254])
+ utils.execute('ip', 'link', 'set', bridge, 'up', run_as_root=True,
+ check_exit_code=[0, 2, 254])
+ LOG.debug("Done starting bridge %s", bridge)
+
+ full_ip = '%s/%s' % (network['dhcp_server'],
+ network['cidr'].rpartition('/')[2])
+ utils.execute('ip', 'address', 'add', full_ip, 'dev', bridge,
+ run_as_root=True, check_exit_code=[0, 2, 254])
+
+ return dev
+
+ def unplug(self, network):
+ dev = self.get_dev(network)
+ if not device_exists(dev):
+ return None
+ else:
+ delete_net_dev(dev)
+ return dev
+
+ def get_dev(self, network):
+ dev = self.GATEWAY_INTERFACE_PREFIX + str(network['uuid'][0:11])
+ return dev
+
+ def get_bridge(self, network):
+ bridge = self.BRIDGE_NAME_PREFIX + str(network['uuid'][0:11])
+ return bridge
+
+# provide compatibility with existing configs
+QuantumLinuxBridgeInterfaceDriver = NeutronLinuxBridgeInterfaceDriver
+
+iptables_manager = IptablesManager()
+
+
+def set_vf_interface_vlan(pci_addr, mac_addr, vlan=0):
+ pf_ifname = pci_utils.get_ifname_by_pci_address(pci_addr,
+ pf_interface=True)
+ vf_ifname = pci_utils.get_ifname_by_pci_address(pci_addr)
+ vf_num = pci_utils.get_vf_num_by_pci_address(pci_addr)
+
+ # Set the VF's mac address and vlan
+ exit_code = [0, 2, 254]
+ port_state = 'up' if vlan > 0 else 'down'
+ utils.execute('ip', 'link', 'set', pf_ifname,
+ 'vf', vf_num,
+ 'mac', mac_addr,
+ 'vlan', vlan,
+ run_as_root=True,
+ check_exit_code=exit_code)
+ # Bring up/down the VF's interface
+ utils.execute('ip', 'link', 'set', vf_ifname,
+ port_state,
+ run_as_root=True,
+ check_exit_code=exit_code)
Code Review / ovsnfv.git / blobdiff