X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-dhcp.git/blobdiff_plain/b3b2ea80e5c3aae0d9ab7814893c4dde05979c89..149df324e6f1aca5ba2f043dba6614c65b499968:/invirt-dhcpserver diff --git a/invirt-dhcpserver b/invirt-dhcpserver index 04376d0..20a0816 100755 --- a/invirt-dhcpserver +++ b/invirt-dhcpserver @@ -1,4 +1,5 @@ #!/usr/bin/python +import os.path import sys import pydhcplib import pydhcplib.dhcp_network @@ -8,6 +9,12 @@ from pydhcplib.type_ipv4 import ipv4 from pydhcplib.type_strlist import strlist import socket import IN +from Queue import Queue +from threading import Thread +from subprocess import PIPE, Popen +import netifaces as ni +sys.path.append('/usr/lib/xen-default/lib/python/') +from xen.lowlevel import xs import syslog as s @@ -15,28 +22,94 @@ import time from invirt import database from invirt.config import structs as config -dhcp_options = {'subnet_mask': config.dhcp.netmask, - 'router': config.dhcp.gateway, - 'domain_name_server': ','.join(config.dhcp.dns), - 'ip_address_lease_time': 60*60*24} +dhcp_options = {'domain_name_server': ','.join(config.dhcp.dns), + 'ip_address_lease_time': config.dhcp.get('leasetime', 60*60*24)} + +class Interfaces(object): + @staticmethod + def primary_ip(name): + """primary_ip returns an interface's primary IP address. + + This is the first IPv4 address returned by "ip addr show $name" + """ + # TODO(quentin): The netifaces module is a pile of crappy C. + # Figure out a way to do this in native Python. + return ni.ifaddresses(name)[ni.AF_INET][0]['addr'] + + @staticmethod + def exists(name): + """exists checks if an interface exists. + + Args: + name: Interface name + """ + return os.path.exists("/sys/class/net/"+name) + class DhcpBackend: - def __init__(self): + def __init__(self, queue): database.connect() + self.queue = queue + self.main_ip = Interfaces.primary_ip(config.xen.iface) + def add_route_and_arp(self, ip, intf, gateway): + try: + p = Popen(['ip', 'route', 'add', ip, 'dev', intf, 'src', self.main_ip, 'metric', '2' if intf.startswith('vif') else '1'], stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate() + if p.returncode == 0: + s.syslog(s.LOG_INFO, "Added route for IP %s to interface %s" % (ip, intf)) + self.queue.put((ip, gateway)) + sys.stderr.write(err) + sys.stdout.write(out) + except Exception as e: + s.syslog(s.LOG_ERR, "Could not add route for IP %s: %s" % (ip, e)) def findNIC(self, mac): database.clear_cache() - return database.NIC.query().filter_by(mac_addr=mac).first() + return database.NIC.query.filter_by(mac_addr=mac).first() def find_interface(self, packet): chaddr = hwmac(packet.GetHardwareAddress()) nic = self.findNIC(str(chaddr)) + return self.find_interface_by_nic(nic) + def find_interface_by_nic(self, nic): if nic is None or nic.ip is None: return None - ipstr = ''.join(reversed(['%02X' % i for i in ipv4(nic.ip).list()])) + ipstr = ''.join(reversed(['%02X' % i for i in ipv4(nic.ip.encode("utf-8")).list()])) for line in open('/proc/net/route'): parts = line.split() if parts[1] == ipstr: s.syslog(s.LOG_DEBUG, "find_interface found "+str(nic.ip)+" on "+parts[0]) return parts[0] + # Either the machine isn't running, or the route is missing. We can + # fix the latter. + try: + xsc = xs.xs() + domid = xsc.read('', '/vm/%s/device/vif/0/frontend-id' % (nic.machine.uuid)) + # If we didn't find the domid, the machine is either off or the + # UUID in xenstore isn't right. Try slightly harder. + if not domid: + for uuid in xsc.ls('', '/vm'): + if xsc.read('', '/vm/%s/name' % (uuid)) == 'd_' + nic.machine.name: + domid = xsc.read('', '/vm/%s/device/vif/0/frontend-id' % (uuid)) + if not domid: + xsc.close() + return None + for vifnum in xsc.ls('', '/local/domain/0/backend/vif/%s' % (domid)): + if xsc.read('', '/local/domain/0/backend/vif/%s/%s/mac' % (domid, vifnum)) == nic.mac_addr: + # Prefer the tap if it exists; paravirtualized HVMs will + # have already unplugged it, so if it's there, it's the one + # in use. + for viftype in ('tap', 'vif'): + vif = '%s%s.%s' % (viftype, domid, vifnum) + if Interfaces.exists(vif): + self.add_route_and_arp(nic.ip, vif, nic.gateway) + xsc.close() + return vif + xsc.close() + except Exception as e: + try: + xsc.close() + except Exception as e2: + s.syslog(s.LOG_ERR, "Could not close connection to xenstore: %s" % (e2)) + s.syslog(s.LOG_ERR, "Could not find interface and add missing route: %s" % (e)) return None def getParameters(self, **extra): @@ -97,15 +170,17 @@ class DhcpBackend: nic = self.findNIC(str(chaddr)) if nic is None or nic.machine is None: return False - ip = nic.ip + ip = nic.ip.encode("utf-8") if ip is None: #Deactivated? return False options = {} + options['subnet_mask'] = nic.netmask.encode("utf-8") + options['router'] = nic.gateway.encode("utf-8") if nic.hostname and '.' in nic.hostname: - options['host_name'], options['domain_name'] = nic.hostname.split('.', 1) + options['host_name'], options['domain_name'] = nic.hostname.encode('utf-8').split('.', 1) elif nic.machine.name: - options['host_name'] = nic.machine.name + options['host_name'] = nic.machine.name.encode('utf-8') options['domain_name'] = config.dns.domains[0] else: hostname = None @@ -113,17 +188,15 @@ class DhcpBackend: options['host_name'] += '.' + options['domain_name'] del options['domain_name'] options['domain_search'] = [config.dhcp.search_domain] - if ip is not None: - ip = ipv4(ip) - s.syslog(s.LOG_DEBUG,"dhcp_backend : Discover result = "+str(ip)) - packet_parameters = self.getParameters(**options) + ip = ipv4(ip) + s.syslog(s.LOG_DEBUG,"dhcp_backend : Discover result = "+str(ip)) + packet_parameters = self.getParameters(**options) - # FIXME: Other offer parameters go here - packet_parameters["yiaddr"] = ip.list() - - packet.SetMultipleOptions(packet_parameters) - return True - return False + # FIXME: Other offer parameters go here + packet_parameters["yiaddr"] = ip.list() + + packet.SetMultipleOptions(packet_parameters) + return True def Request(self, packet): s.syslog(s.LOG_DEBUG, "dhcp_backend : Request") @@ -142,6 +215,84 @@ class DhcpBackend: if yiaddr!="0.0.0.0" and yiaddr == request : s.syslog(s.LOG_INFO,"Ack ip "+str(yiaddr)+" for "+str(chaddr)) + n = self.findNIC(str(chaddr)) + intf = self.find_interface_by_nic(n) + s.syslog(s.LOG_ERR, "Interface is %s" % (intf)) + # Don't perform "other" actions if the machine isn't running + other_action = n.other_action if n.other_action and intf else '' + if other_action in ('renumber', 'renumber_dhcp'): + (n.ip, n.netmask, n.gateway, n.other_ip, n.other_netmask, + n.other_gateway) = ( + n.other_ip, n.other_netmask, n.other_gateway, n.ip, + n.netmask, n.gateway) + other_action = n.other_action = 'dnat' + database.session.add(n) + database.session.flush() + if other_action == 'dnat': + # If the machine was booted in 'dnat' mode, then both + # routes were already added by the invirt-database script. + # If the machine was already on and has just been set to + # 'dnat' mode, we need to add the route for the 'other' IP. + # If the machine has just been 'renumbered' by us above, + # the IPs will be swapped and only the route for the main + # IP needs to be added. Just try adding both of them, and + # arp for whichever of them turns out to be new. + for parms in [(n.ip, n.gateway), (n.other_ip, n.other_gateway)]: + self.add_route_and_arp(parms[0], intf, parms[1]) + try: + # iptables will let you add the same rule again and again; + # let's not do that. + p = Popen(['iptables', '-t', 'nat', '-C', 'PREROUTING', '-d', n.other_ip, '-j', 'DNAT', '--to-destination', n.ip], stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate() + sys.stderr.write(err) + sys.stdout.write(out) + if p.returncode != 0: + p2 = Popen(['iptables', '-t', 'nat', '-A', 'PREROUTING', '-d', n.other_ip, '-j', 'DNAT', '--to-destination', n.ip], stdout=PIPE, stderr=PIPE) + (out, err) = p2.communicate() + sys.stderr.write(err) + sys.stdout.write(out) + if p2.returncode == 0: + s.syslog(s.LOG_INFO, "Added DNAT for IP %s to %s" % (n.other_ip, n.ip)) + else: + s.syslog(s.LOG_ERR, "Could not add DNAT for IP %s to %s" % (n.other_ip, n.ip)) + except Exception as e: + s.syslog(s.LOG_ERR, "Could not check and/or add DNAT for IP %s to %s: %s" % (n.other_ip, n.ip, e)) + if other_action == 'remove': + try: + p = Popen(['ip', 'route', 'del', n.other_ip, 'dev', intf], stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate() + sys.stderr.write(err) + sys.stderr.write(out) + if p.returncode == 0: + s.syslog(s.LOG_INFO, "Removed route for IP %s" % (n.other_ip)) + else: + s.syslog(s.LOG_ERR, "Could not remove route for IP %s" % (n.other_ip)) + except Exception as e: + s.syslog(s.LOG_ERR, "Could not run ip to remove route for IP %s: %s" % (n.other_ip, e)) + try: + p = Popen(['iptables', '-t', 'nat', '-D', 'PREROUTING', '-d', n.other_ip, '-j', 'DNAT', '--to-destination', n.ip], stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate() + sys.stderr.write(err) + sys.stdout.write(out) + if p.returncode == 0: + s.syslog(s.LOG_INFO, "Removed DNAT for IP %s" % (n.other_ip)) + else: + s.syslog(s.LOG_ERR, "Could not remove DNAT for IP %s" % (n.other_ip)) + except Exception as e: + s.syslog(s.LOG_ERR, "Could not run iptables to remove DNAT for IP %s: %s" % (n.other_ip, e)) + n.other_ip = n.other_netmask = n.other_gateway = n.other_action = None + database.session.add(n) + database.session.flush() + # We went through the DISCOVER codepath already to populate some + # of the packet's parameters. If we renumbered the VM just above, + # the packet is set to offer them what they asked for - the old + # address. So, we'll send them a DHCPNACK and they'll come right + # back and be offered the new address. The code above won't be + # able to add duplicate routes, won't insert a duplicate DNAT, + # and won't ARP again because the routes will exist, so this won't + # incur much extra work. + if request != map(int, n.ip.split('.')): + return False return True else: s.syslog(s.LOG_INFO,"Requested ip "+str(request)+" not available for "+str(chaddr)) @@ -162,12 +313,9 @@ class DhcpServer(pydhcplib.dhcp_network.DhcpServer): def SendDhcpPacketTo(self, To, packet): intf = self.backend.find_interface(packet) if intf: - out_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) - out_socket.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST,1) - out_socket.setsockopt(socket.SOL_SOCKET, IN.SO_BINDTODEVICE, intf) - #out_socket.bind((ip, self.listen_port)) - ret = out_socket.sendto(packet.EncodePacket(), (To,self.emit_port)) - out_socket.close() + self.dhcp_socket.setsockopt(socket.SOL_SOCKET, IN.SO_BINDTODEVICE, intf) + ret = self.dhcp_socket.sendto(packet.EncodePacket(), (To,self.emit_port)) + self.dhcp_socket.setsockopt(socket.SOL_SOCKET, IN.SO_BINDTODEVICE, '') return ret else: return self.dhcp_socket.sendto(packet.EncodePacket(),(To,self.emit_port)) @@ -227,12 +375,14 @@ class DhcpServer(pydhcplib.dhcp_network.DhcpServer): else : s.syslog(s.LOG_INFO,"Get DHCPREQUEST_UNKNOWN_STATE packet : not implemented") - if self.backend.Request(packet) : packet.TransformToDhcpAckPacket() - else : packet.TransformToDhcpNackPacket() - - self.SendPacket(packet) - - + if self.backend.Request(packet): + packet.TransformToDhcpAckPacket() + self.SendPacket(packet) + elif self.backend.Discover(packet): + packet.TransformToDhcpNackPacket() + self.SendPacket(packet) + else: + pass # We aren't authoritative, so don't reply if we don't know them. # FIXME: These are not yet implemented. def HandleDhcpDecline(self, packet): @@ -253,11 +403,48 @@ class DhcpServer(pydhcplib.dhcp_network.DhcpServer): # FIXME : what if false ? +class ArpspoofWorker(Thread): + def __init__(self, queue): + Thread.__init__(self) + self.queue = queue + self.iface = config.xen.iface + + def run(self): + while True: + (ip, gw) = self.queue.get() + try: + p = Popen(['timeout', '-s', 'KILL', '5', 'arpspoof', '-i', self.iface, '-t', gw, ip], stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate() + if p.returncode != 124: + s.syslog(s.LOG_ERR, "arpspoof returned %s for IP %s gateway %s" % (p.returncode, ip, gw)) + else: + s.syslog(s.LOG_INFO, "aprspoof'd for IP %s gateway %s" % (ip, gw)) + sys.stderr.write(err) + sys.stdout.write(out) + except Exception as e: + s.syslog(s.LOG_ERR, "Could not run arpspoof for IP %s gateway %s: %s" % (ip, gw, e)) + self.queue.task_done() + if '__main__' == __name__: options = { "server_listen_port":67, "client_listen_port":68, "listen_address":"0.0.0.0"} - backend = DhcpBackend() + + myip = socket.gethostbyname(socket.gethostname()) + if not myip: + print "invirt-dhcpserver: cannot determine local IP address by looking up %s" % socket.gethostname() + sys.exit(1) + + dhcp_options['server_identifier'] = ipv4(myip).int() + + queue = Queue() + + backend = DhcpBackend(queue) server = DhcpServer(backend, options) + for x in range(2): + worker = ArpspoofWorker(queue) + worker.daemon = True + worker.start() + while True : server.GetNextDhcpPacket()