Implement handling of "other" network params, including a minimal state

machine that knows how to renumber and DNAT VMs as well as tear down
those DNATs.

diff --git a/debian/changelog b/debian/changelog
index 3e53c21..9acc35e 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,8 +3,11 @@ invirt-dhcp (0.0.8) precise; urgency=low
   * Populate subnet_mask and router options from individual NIC parameters
   * Make lease lifetime configurable per cluster
   * Eliminate a redundant conditional block
   * Populate subnet_mask and router options from individual NIC parameters
   * Make lease lifetime configurable per cluster
   * Eliminate a redundant conditional block

+  * Implement handling of "other" network parameters, including a minimal
+    state machine that knows how to renumber and DNAT machines, as well
+    as tear down those DNATs.

 
 

- -- Mitchell Berger <mitchb@mit.edu>  Wed, 16 May 2018 05:37:00 -0400
+ -- Mitchell Berger <mitchb@mit.edu>  Sat, 19 May 2018 18:26:00 -0400

 
 invirt-dhcp (0.0.7) precise; urgency=low
 
 
 invirt-dhcp (0.0.7) precise; urgency=low
 

diff --git a/debian/control b/debian/control
index 93dddfd..9d01f3a 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -7,5 +7,5 @@ Standards-Version: 3.9.3
 
 Package: invirt-dhcp
 Architecture: all
 
 Package: invirt-dhcp
 Architecture: all

-Depends: ${misc:Depends}, daemon, invirt-database, python-pydhcplib (>= 0.3.2-1), invirt-base
+Depends: ${misc:Depends}, daemon, invirt-database, python-pydhcplib (>= 0.3.2-1), invirt-base, python-netifaces

 Description: Install and enable the DHCP server
 Description: Install and enable the DHCP server

diff --git a/invirt-dhcpserver b/invirt-dhcpserver
index 438d80d..970bc5c 100755 (executable)
--- a/invirt-dhcpserver
+++ b/invirt-dhcpserver
@@ -8,6 +8,10 @@ from pydhcplib.type_ipv4 import ipv4
 from pydhcplib.type_strlist import strlist
 import socket
 import IN
 from pydhcplib.type_strlist import strlist
 import socket
 import IN

+from Queue import Queue
+from threading import Thread
+from subprocess import PIPE, Popen
+import netifaces as ni

 
 import syslog as s
 
 
 import syslog as s
 

@@ -19,14 +23,17 @@ dhcp_options = {'domain_name_server': ','.join(config.dhcp.dns),
                 'ip_address_lease_time': config.dhcp.leasetime if config.dhcp.has_key('leasetime') else 60*60*24}
 
 class DhcpBackend:
                 'ip_address_lease_time': config.dhcp.leasetime if config.dhcp.has_key('leasetime') else 60*60*24}
 
 class DhcpBackend:

-    def __init__(self):
+    def __init__(self, queue):

         database.connect()
         database.connect()

+        self.queue = queue

     def findNIC(self, mac):
         database.clear_cache()
         return database.NIC.query.filter_by(mac_addr=mac).first()
     def find_interface(self, packet):
         chaddr = hwmac(packet.GetHardwareAddress())
         nic = self.findNIC(str(chaddr))
     def findNIC(self, mac):
         database.clear_cache()
         return database.NIC.query.filter_by(mac_addr=mac).first()
     def find_interface(self, packet):
         chaddr = hwmac(packet.GetHardwareAddress())
         nic = self.findNIC(str(chaddr))

+        return self.find_interface_by_nic(nic)
+    def find_interface_by_nic(self, nic):

         if nic is None or nic.ip is None:
             return None
         ipstr = ''.join(reversed(['%02X' % i for i in ipv4(nic.ip.encode("utf-8")).list()]))
         if nic is None or nic.ip is None:
             return None
         ipstr = ''.join(reversed(['%02X' % i for i in ipv4(nic.ip.encode("utf-8")).list()]))

@@ -140,6 +147,94 @@ class DhcpBackend:
         
         if yiaddr!="0.0.0.0" and yiaddr == request :
             s.syslog(s.LOG_INFO,"Ack ip "+str(yiaddr)+" for "+str(chaddr))
         
         if yiaddr!="0.0.0.0" and yiaddr == request :
             s.syslog(s.LOG_INFO,"Ack ip "+str(yiaddr)+" for "+str(chaddr))

+            n = self.findNIC(str(chaddr))
+            intf = self.find_interface_by_nic(n)
+            main_ip = ni.ifaddresses(config.xen.iface)[ni.AF_INET][0]['addr']
+            s.syslog(s.LOG_ERR, "Interface is %s" % (intf))
+            # Don't perform "other" actions if the machine isn't running
+            other_action = n.other_action if n.other_action and intf else ''
+            if other_action == 'renumber' or other_action == 'renumber_dhcp':
+                (n.ip, n.netmask, n.gateway, n.other_ip, n.other_netmask,
+                 n.other_gateway) = (
+                 n.other_ip, n.other_netmask, n.other_gateway, n.ip,
+                 n.netmask, n.gateway)
+                other_action = n.other_action = 'dnat'
+                database.session.add(n)
+                database.session.flush()
+            if other_action == 'dnat':
+                # If the machine was booted in 'dnat' mode, then both
+                # routes were already added by the invirt-database script.
+                # If the machine was already on and has just been set to
+                # 'dnat' mode, we need to add the route for the 'other' IP.
+                # If the machine has just been 'renumbered' by us above,
+                # the IPs will be swapped and only the route for the main
+                # IP needs to be added.  Just try adding both of them, and
+                # arp for whichever of them turns out to be new.
+                for parms in [(n.ip, n.gateway), (n.other_ip, n.other_gateway)]:
+                    try:
+                        p = Popen(['ip', 'route', 'add', parms[0], 'dev', intf, 'src', main_ip, 'metric', '2' if intf.startswith('vif') else '1'], stdout=PIPE, stderr=PIPE)
+                        (out, err) = p.communicate()
+                        if p.returncode == 0:
+                            s.syslog(s.LOG_INFO, "Added route for IP %s to interface %s" % (parms[0], intf))
+                            self.queue.put(parms)
+                        sys.stderr.write(err)
+                        sys.stdout.write(out)
+                    except Exception as e:
+                        s.syslog(s.LOG_ERR, "Could not add route for IP %s: %s" % (parms[0], e))
+                try:
+                    # iptables will let you add the same rule again and again;
+                    # let's not do that.
+                    p = Popen(['iptables', '-t', 'nat', '-C', 'PREROUTING', '-d', n.other_ip, '-j', 'DNAT', '--to-destination', n.ip], stdout=PIPE, stderr=PIPE)
+                    (out, err) = p.communicate()
+                    sys.stderr.write(err)
+                    sys.stdout.write(out)
+                    if p.returncode != 0:
+                        p2 = Popen(['iptables', '-t', 'nat', '-A', 'PREROUTING', '-d', n.other_ip, '-j', 'DNAT', '--to-destination', n.ip], stdout=PIPE, stderr=PIPE)
+                        (out, err) = p2.communicate()
+                        sys.stderr.write(err)
+                        sys.stdout.write(out)
+                        if p2.returncode == 0:
+                            s.syslog(s.LOG_INFO, "Added DNAT for IP %s to %s" % (n.other_ip, n.ip))
+                        else:
+                            s.syslog(s.LOG_ERR, "Could not add DNAT for IP %s to %s" % (n.other_ip, n.ip))
+                except Exception as e:
+                    s.syslog(s.LOG_ERR, "Could not check and/or add DNAT for IP %s to %s: %s" % (n.other_ip, n.ip, e))
+            if other_action == 'remove':
+                try:
+                    p = Popen(['ip', 'route', 'del', n.other_ip, 'dev', intf, 'src', main_ip], stdout=PIPE, stderr=PIPE)
+                    (out, err) = p.communicate()
+                    sys.stderr.write(err)
+                    sys.stderr.write(out)
+                    if p.returncode == 0:
+                        s.syslog(s.LOG_INFO, "Removed route for IP %s" % (n.other_ip))
+                    else:
+                        s.syslog(s.LOG_ERR, "Could not remove route for IP %s" % (n.other_ip))
+                except Exception as e:
+                    s.syslog(s.LOG_ERR, "Could not run ip to remove route for IP %s: %s" % (n.other_ip, e))
+                try:
+                    p = Popen(['iptables', '-t', 'nat', '-D', 'PREROUTING', '-d', n.other_ip, '-j', 'DNAT', '--to-destination', n.ip], stdout=PIPE, stderr=PIPE)
+                    (out, err) = p.communicate()
+                    sys.stderr.write(err)
+                    sys.stdout.write(out)
+                    if p.returncode == 0:
+                        s.syslog(s.LOG_INFO, "Removed DNAT for IP %s" % (n.other_ip))
+                    else:
+                        s.syslog(s.LOG_ERR, "Could not remove DNAT for IP %s" % (n.other_ip))
+                except Exception as e:
+                    s.syslog(s.LOG_ERR, "Could not run iptables to remove DNAT for IP %s: %s" % (n.other_ip, e))
+                n.other_ip = n.other_netmask = n.other_gateway = n.other_action = None
+                database.session.add(n)
+                database.session.flush()
+            # We went through the DISCOVER codepath already to populate some
+            # of the packet's parameters.  If we renumbered the VM just above,
+            # the packet is set to offer them what they asked for - the old
+            # address.  So, we'll send then a DHCPNACK and they'll come right
+            # back and be offered the new address.  The code above won't be
+            # able to add duplicate routes, won't insert a duplicate DNAT,
+            # and won't ARP again because the routes will exist, so this won't
+            # incur much extra work.
+            if request != map(int, n.ip.split('.')):
+                return False

             return True
         else:
             s.syslog(s.LOG_INFO,"Requested ip "+str(request)+" not available for "+str(chaddr))
             return True
         else:
             s.syslog(s.LOG_INFO,"Requested ip "+str(request)+" not available for "+str(chaddr))

@@ -250,6 +345,28 @@ class DhcpServer(pydhcplib.dhcp_network.DhcpServer):
 
         # FIXME : what if false ?
 
 
         # FIXME : what if false ?
 

+class ArpspoofWorker(Thread):
+    def __init__(self, queue):
+        Thread.__init__(self)
+        self.queue = queue
+        self.iface = config.xen.iface
+
+    def run(self):
+        while True:
+            (ip, gw) = self.queue.get()
+            try:
+                p = Popen(['timeout', '5', 'arpspoof', '-i', self.iface, '-t', gw, ip], stdout=PIPE, stderr=PIPE)
+                (out, err) = p.communicate()
+                if p.returncode != 124:
+                    s.syslog(s.LOG_ERR, "arpspoof returned %s for IP %s gateway %s" % (p.returncode, ip, gw))
+                else:
+                    s.syslog(s.LOG_INFO, "aprspoof'd for IP %s gateway %s" % (ip, gw))
+                sys.stderr.write(err)
+                sys.stdout.write(out)
+            except Exception as e:
+                s.syslog(s.LOG_ERR, "Could not run arpspoof for IP %s gateway %s: %s" % (ip, gw, e))
+            self.queue.task_done()
+

 if '__main__' == __name__:
     options = { "server_listen_port":67,
                 "client_listen_port":68,
 if '__main__' == __name__:
     options = { "server_listen_port":67,
                 "client_listen_port":68,

@@ -262,7 +379,14 @@ if '__main__' == __name__:
     
     dhcp_options['server_identifier'] = ipv4(myip).int()
 
     
     dhcp_options['server_identifier'] = ipv4(myip).int()
 

-    backend = DhcpBackend()
+    queue = Queue()
+
+    backend = DhcpBackend(queue)

     server = DhcpServer(backend, options)
 
     server = DhcpServer(backend, options)
 

+    for x in range(2):
+        worker = ArpspoofWorker(queue)
+        worker.daemon = True
+        worker.start()
+

     while True : server.GetNextDhcpPacket()
     while True : server.GetNextDhcpPacket()