This change make it possible to use a macvtap interface as a standard interface (green0). This is required by libvirt, because libvirt adds macvtap interfaces to the physical interface, but this causes a problem. A VM with this configuration can communicate with the whole network, but not with the Host (IPFire). To solve this problem, the host interface must be also a macvtap interface. This is achieved by: 1. In /var/ipfire/ethernet/settings the mode of a interface could set with GREEN_MODE= ... When the mode is macvtap the physical interface is renamed to green0phys instead of green0. If the mode is not set the normal configuration is applied . 2. The network-hotplug-macvtap script checks if a physical nic ends with "phys". When the interface ends with "phys", the script adds a macvtap interface to the physical nic which is named green0. The MAC address of this interface is set to the MAC address of the physical nic. The MAC address of the physical is set to a random value. We do this because the MAC address of green0 should not change. All services, IP addresses then binds to the macvatap interface, the physical nic is not used. PS.: The script works also with the orange or blue interface, just replace green with orange or blue.
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org --- config/rootfiles/common/udev | 1 + config/udev/60-net.rules | 3 +++ config/udev/network-hotplug-macvtap | 46 +++++++++++++++++++++++++++++++++++++ config/udev/network-hotplug-rename | 11 +++++++-- lfs/udev | 2 ++ 5 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 config/udev/network-hotplug-macvtap
diff --git a/config/rootfiles/common/udev b/config/rootfiles/common/udev index 4d51954..e1f4bd5 100644 --- a/config/rootfiles/common/udev +++ b/config/rootfiles/common/udev @@ -28,6 +28,7 @@ lib/udev #lib/udev/hwdb.d/60-keyboard.hwdb #lib/udev/init-net-rules.sh #lib/udev/mtd_probe +#lib/udev/network-hotplug-macvtap #lib/udev/network-hotplug-rename #lib/udev/network-hotplug-vlan #lib/udev/rule_generator.functions diff --git a/config/udev/60-net.rules b/config/udev/60-net.rules index e82320c..e031e7a 100644 --- a/config/udev/60-net.rules +++ b/config/udev/60-net.rules @@ -5,3 +5,6 @@ ACTION=="add", SUBSYSTEM=="net", PROGRAM="/lib/udev/network-hotplug-rename", RES # Call a script that will create all virtual devices for a parent device # that has just come up. ACTION=="add", SUBSYSTEM=="net", RUN+="/lib/udev/network-hotplug-vlan" + +# Call a script that will set up macvtap interfaces +ACTION=="add", SUBSYSTEM=="net", RUN+="/lib/udev/network-hotplug-macvtap" diff --git a/config/udev/network-hotplug-macvtap b/config/udev/network-hotplug-macvtap new file mode 100644 index 0000000..7f5da12 --- /dev/null +++ b/config/udev/network-hotplug-macvtap @@ -0,0 +1,46 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2016 IPFire Team info@ipfire.org # +# # +############################################################################ + +[ -n "${INTERFACE}" ] || exit 2 + +PHYSICAL_INTERFACE="${INTERFACE}" +VIRTUAL_INTERFACE="${INTERFACE%phys}" +#VIRTUAL_INTERFACE="${VIRTUAL_INTERFACE}0" + +# Do nothing if the physical interface does not end with "phys" +case "${PHYSICAL_INTERFACE}" in + *phys) + ;; + *) + exit 0 + ;; +esac + +ADDRESS="$(</sys/class/net/${PHYSICAL_INTERFACE}/address)" +rand="$(</proc/sys/kernel/random/uuid)" +rand="${rand//-/}" +GENERATED_ADDRESS=$(echo "02:${rand:0:2}:${rand:2:2}:${rand:4:2}:${rand:6:2}:${rand:8:2}") + +ip link add link "${PHYSICAL_INTERFACE}" "${VIRTUAL_INTERFACE}" address "${ADDRESS}" type macvlan mode bridge +ip link set "${PHYSICAL_INTERFACE}" address "${GENERATED_ADDRESS}" +ip link set "${PHYSICAL_INTERFACE}" up diff --git a/config/udev/network-hotplug-rename b/config/udev/network-hotplug-rename index 331b788..aaae641 100644 --- a/config/udev/network-hotplug-rename +++ b/config/udev/network-hotplug-rename @@ -57,16 +57,23 @@ ADDRESS="$(</sys/class/net/${INTERFACE}/address)" for zone in ${ZONES}; do address="${zone}_MACADDR" device="${zone}_DEV" + mode="${zone}_MODE"
# Skip if address or device is unset [ -n "${!address}" -a -n "${!device}" ] || continue
+ # Compare MAC addresses + [ "${ADDRESS}" = "${!address}" ] || continue + # If a matching interface has been found we will # print the name to which udev will rename it. - if [ "${ADDRESS}" = "${!address}" ]; then + if [ "${!mode}" = "macvtap" ]; then + echo "${!device}phys" + else echo "${!device}" - exit 0 fi + + exit 0 done
# If we get here we have not found a matching device, diff --git a/lfs/udev b/lfs/udev index 7d5bdbc..61bd337 100644 --- a/lfs/udev +++ b/lfs/udev @@ -109,6 +109,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /lib/udev/network-hotplug-rename install -v -m 755 $(DIR_SRC)/config/udev/network-hotplug-vlan \ /lib/udev/network-hotplug-vlan + install -v -m 755 $(DIR_SRC)/config/udev/network-hotplug-macvtap \ + /lib/udev/network-hotplug-macvtap install -v -m 644 $(DIR_SRC)/config/udev/60-net.rules \ /lib/udev/rules.d