From: Mitchell E Berger Date: Sat, 19 May 2018 22:27:41 +0000 (-0400) Subject: Implement handling of "other" network params, including a minimal state X-Git-Tag: 0.0.8~3 X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-dhcp.git/commitdiff_plain/ba2cb07eb4c0243081e02f502b1dd2863fb33094?ds=inline Implement handling of "other" network params, including a minimal state machine that knows how to renumber and DNAT VMs as well as tear down those DNATs. --- diff --git a/debian/changelog b/debian/changelog index 3e53c21..9acc35e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,8 +3,11 @@ invirt-dhcp (0.0.8) precise; urgency=low * Populate subnet_mask and router options from individual NIC parameters * Make lease lifetime configurable per cluster * Eliminate a redundant conditional block + * Implement handling of "other" network parameters, including a minimal + state machine that knows how to renumber and DNAT machines, as well + as tear down those DNATs. - -- Mitchell Berger Wed, 16 May 2018 05:37:00 -0400 + -- Mitchell Berger Sat, 19 May 2018 18:26:00 -0400 invirt-dhcp (0.0.7) precise; urgency=low diff --git a/debian/control b/debian/control index 93dddfd..9d01f3a 100644 --- a/debian/control +++ b/debian/control @@ -7,5 +7,5 @@ Standards-Version: 3.9.3 Package: invirt-dhcp Architecture: all -Depends: ${misc:Depends}, daemon, invirt-database, python-pydhcplib (>= 0.3.2-1), invirt-base +Depends: ${misc:Depends}, daemon, invirt-database, python-pydhcplib (>= 0.3.2-1), invirt-base, python-netifaces Description: Install and enable the DHCP server diff --git a/invirt-dhcpserver b/invirt-dhcpserver index 438d80d..970bc5c 100755 --- a/invirt-dhcpserver +++ b/invirt-dhcpserver @@ -8,6 +8,10 @@ from pydhcplib.type_ipv4 import ipv4 from pydhcplib.type_strlist import strlist import socket import IN +from Queue import Queue +from threading import Thread +from subprocess import PIPE, Popen +import netifaces as ni import syslog as s @@ -19,14 +23,17 @@ dhcp_options = {'domain_name_server': ','.join(config.dhcp.dns), 'ip_address_lease_time': config.dhcp.leasetime if config.dhcp.has_key('leasetime') else 60*60*24} class DhcpBackend: - def __init__(self): + def __init__(self, queue): database.connect() + self.queue = queue def findNIC(self, mac): database.clear_cache() return database.NIC.query.filter_by(mac_addr=mac).first() def find_interface(self, packet): chaddr = hwmac(packet.GetHardwareAddress()) nic = self.findNIC(str(chaddr)) + return self.find_interface_by_nic(nic) + def find_interface_by_nic(self, nic): if nic is None or nic.ip is None: return None ipstr = ''.join(reversed(['%02X' % i for i in ipv4(nic.ip.encode("utf-8")).list()])) @@ -140,6 +147,94 @@ class DhcpBackend: if yiaddr!="0.0.0.0" and yiaddr == request : s.syslog(s.LOG_INFO,"Ack ip "+str(yiaddr)+" for "+str(chaddr)) + n = self.findNIC(str(chaddr)) + intf = self.find_interface_by_nic(n) + main_ip = ni.ifaddresses(config.xen.iface)[ni.AF_INET][0]['addr'] + s.syslog(s.LOG_ERR, "Interface is %s" % (intf)) + # Don't perform "other" actions if the machine isn't running + other_action = n.other_action if n.other_action and intf else '' + if other_action == 'renumber' or other_action == 'renumber_dhcp': + (n.ip, n.netmask, n.gateway, n.other_ip, n.other_netmask, + n.other_gateway) = ( + n.other_ip, n.other_netmask, n.other_gateway, n.ip, + n.netmask, n.gateway) + other_action = n.other_action = 'dnat' + database.session.add(n) + database.session.flush() + if other_action == 'dnat': + # If the machine was booted in 'dnat' mode, then both + # routes were already added by the invirt-database script. + # If the machine was already on and has just been set to + # 'dnat' mode, we need to add the route for the 'other' IP. + # If the machine has just been 'renumbered' by us above, + # the IPs will be swapped and only the route for the main + # IP needs to be added. Just try adding both of them, and + # arp for whichever of them turns out to be new. + for parms in [(n.ip, n.gateway), (n.other_ip, n.other_gateway)]: + try: + p = Popen(['ip', 'route', 'add', parms[0], 'dev', intf, 'src', main_ip, 'metric', '2' if intf.startswith('vif') else '1'], stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate() + if p.returncode == 0: + s.syslog(s.LOG_INFO, "Added route for IP %s to interface %s" % (parms[0], intf)) + self.queue.put(parms) + sys.stderr.write(err) + sys.stdout.write(out) + except Exception as e: + s.syslog(s.LOG_ERR, "Could not add route for IP %s: %s" % (parms[0], e)) + try: + # iptables will let you add the same rule again and again; + # let's not do that. + p = Popen(['iptables', '-t', 'nat', '-C', 'PREROUTING', '-d', n.other_ip, '-j', 'DNAT', '--to-destination', n.ip], stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate() + sys.stderr.write(err) + sys.stdout.write(out) + if p.returncode != 0: + p2 = Popen(['iptables', '-t', 'nat', '-A', 'PREROUTING', '-d', n.other_ip, '-j', 'DNAT', '--to-destination', n.ip], stdout=PIPE, stderr=PIPE) + (out, err) = p2.communicate() + sys.stderr.write(err) + sys.stdout.write(out) + if p2.returncode == 0: + s.syslog(s.LOG_INFO, "Added DNAT for IP %s to %s" % (n.other_ip, n.ip)) + else: + s.syslog(s.LOG_ERR, "Could not add DNAT for IP %s to %s" % (n.other_ip, n.ip)) + except Exception as e: + s.syslog(s.LOG_ERR, "Could not check and/or add DNAT for IP %s to %s: %s" % (n.other_ip, n.ip, e)) + if other_action == 'remove': + try: + p = Popen(['ip', 'route', 'del', n.other_ip, 'dev', intf, 'src', main_ip], stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate() + sys.stderr.write(err) + sys.stderr.write(out) + if p.returncode == 0: + s.syslog(s.LOG_INFO, "Removed route for IP %s" % (n.other_ip)) + else: + s.syslog(s.LOG_ERR, "Could not remove route for IP %s" % (n.other_ip)) + except Exception as e: + s.syslog(s.LOG_ERR, "Could not run ip to remove route for IP %s: %s" % (n.other_ip, e)) + try: + p = Popen(['iptables', '-t', 'nat', '-D', 'PREROUTING', '-d', n.other_ip, '-j', 'DNAT', '--to-destination', n.ip], stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate() + sys.stderr.write(err) + sys.stdout.write(out) + if p.returncode == 0: + s.syslog(s.LOG_INFO, "Removed DNAT for IP %s" % (n.other_ip)) + else: + s.syslog(s.LOG_ERR, "Could not remove DNAT for IP %s" % (n.other_ip)) + except Exception as e: + s.syslog(s.LOG_ERR, "Could not run iptables to remove DNAT for IP %s: %s" % (n.other_ip, e)) + n.other_ip = n.other_netmask = n.other_gateway = n.other_action = None + database.session.add(n) + database.session.flush() + # We went through the DISCOVER codepath already to populate some + # of the packet's parameters. If we renumbered the VM just above, + # the packet is set to offer them what they asked for - the old + # address. So, we'll send then a DHCPNACK and they'll come right + # back and be offered the new address. The code above won't be + # able to add duplicate routes, won't insert a duplicate DNAT, + # and won't ARP again because the routes will exist, so this won't + # incur much extra work. + if request != map(int, n.ip.split('.')): + return False return True else: s.syslog(s.LOG_INFO,"Requested ip "+str(request)+" not available for "+str(chaddr)) @@ -250,6 +345,28 @@ class DhcpServer(pydhcplib.dhcp_network.DhcpServer): # FIXME : what if false ? +class ArpspoofWorker(Thread): + def __init__(self, queue): + Thread.__init__(self) + self.queue = queue + self.iface = config.xen.iface + + def run(self): + while True: + (ip, gw) = self.queue.get() + try: + p = Popen(['timeout', '5', 'arpspoof', '-i', self.iface, '-t', gw, ip], stdout=PIPE, stderr=PIPE) + (out, err) = p.communicate() + if p.returncode != 124: + s.syslog(s.LOG_ERR, "arpspoof returned %s for IP %s gateway %s" % (p.returncode, ip, gw)) + else: + s.syslog(s.LOG_INFO, "aprspoof'd for IP %s gateway %s" % (ip, gw)) + sys.stderr.write(err) + sys.stdout.write(out) + except Exception as e: + s.syslog(s.LOG_ERR, "Could not run arpspoof for IP %s gateway %s: %s" % (ip, gw, e)) + self.queue.task_done() + if '__main__' == __name__: options = { "server_listen_port":67, "client_listen_port":68, @@ -262,7 +379,14 @@ if '__main__' == __name__: dhcp_options['server_identifier'] = ipv4(myip).int() - backend = DhcpBackend() + queue = Queue() + + backend = DhcpBackend(queue) server = DhcpServer(backend, options) + for x in range(2): + worker = ArpspoofWorker(queue) + worker.daemon = True + worker.start() + while True : server.GetNextDhcpPacket()