Xen Dom0: add dnsmasq to xen-bridge.
This commit is contained in:
Thomas Strobel
parent
e149ba4768
commit
8f911263e9
@ -47,15 +47,34 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualisation.xen.bridge =
|
virtualisation.xen.bridge = {
|
||||||
mkOption {
|
name = mkOption {
|
||||||
default = "xenbr0";
|
default = "xenbr0";
|
||||||
description =
|
description = ''
|
||||||
''
|
Name of bridge the Xen domUs connect to.
|
||||||
Create a bridge for the Xen domUs to connect to.
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
address = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "172.16.0.1";
|
||||||
|
description = ''
|
||||||
|
IPv4 address of the bridge.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
prefixLength = mkOption {
|
||||||
|
type = types.addCheck types.int (n: n >= 0 && n <= 32);
|
||||||
|
default = 16;
|
||||||
|
description = ''
|
||||||
|
Subnet mask of the bridge interface, specified as the number of
|
||||||
|
bits in the prefix (<literal>24</literal>).
|
||||||
|
A DHCP server will provide IP addresses for the whole, remaining
|
||||||
|
subnet.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
virtualisation.xen.stored =
|
virtualisation.xen.stored =
|
||||||
mkOption {
|
mkOption {
|
||||||
type = types.path;
|
type = types.path;
|
||||||
@ -261,11 +280,71 @@ in
|
|||||||
description = "Xen bridge";
|
description = "Xen bridge";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
before = [ "xen-domains.service" ];
|
before = [ "xen-domains.service" ];
|
||||||
serviceConfig.RemainAfterExit = "yes";
|
preStart = ''
|
||||||
serviceConfig.ExecStart = "${pkgs.bridge-utils}/bin/brctl addbr ${cfg.bridge}";
|
mkdir -p /var/run/xen
|
||||||
postStart = "${pkgs.inetutils}/bin/ifconfig ${cfg.bridge} up";
|
touch /var/run/xen/dnsmasq.pid
|
||||||
serviceConfig.ExecStop = "${pkgs.inetutils}/bin/ifconfig ${cfg.bridge} down";
|
touch /var/run/xen/dnsmasq.etherfile
|
||||||
postStop = "${pkgs.bridge-utils}/bin/brctl delbr ${cfg.bridge}";
|
touch /var/run/xen/dnsmasq.leasefile
|
||||||
|
|
||||||
|
IFS='-' read -a data <<< `${pkgs.sipcalc}/bin/sipcalc ${cfg.bridge.address}/${toString cfg.bridge.prefixLength} | grep Usable\ range`
|
||||||
|
export XEN_BRIDGE_IP_RANGE_START="${"\${data[1]//[[:blank:]]/}"}"
|
||||||
|
export XEN_BRIDGE_IP_RANGE_END="${"\${data[2]//[[:blank:]]/}"}"
|
||||||
|
|
||||||
|
IFS='-' read -a data <<< `${pkgs.sipcalc}/bin/sipcalc ${cfg.bridge.address}/${toString cfg.bridge.prefixLength} | grep Network\ address`
|
||||||
|
export XEN_BRIDGE_NETWORK_ADDRESS="${"\${data[1]//[[:blank:]]/}"}"
|
||||||
|
|
||||||
|
echo "${cfg.bridge.address} host gw dns" > /var/run/xen/dnsmasq.hostsfile
|
||||||
|
|
||||||
|
cat <<EOF > /var/run/xen/dnsmasq.conf
|
||||||
|
no-daemon
|
||||||
|
pid-file=/var/run/xen/dnsmasq.pid
|
||||||
|
interface=${cfg.bridge.name}
|
||||||
|
except-interface=lo
|
||||||
|
bind-interfaces
|
||||||
|
auth-server=dns.xen.local,${cfg.bridge.name}
|
||||||
|
auth-zone=xen.local,$XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength}
|
||||||
|
domain=xen.local
|
||||||
|
addn-hosts=/var/run/xen/dnsmasq.hostsfile
|
||||||
|
expand-hosts
|
||||||
|
strict-order
|
||||||
|
no-hosts
|
||||||
|
bogus-priv
|
||||||
|
no-resolv
|
||||||
|
no-poll
|
||||||
|
filterwin2k
|
||||||
|
clear-on-reload
|
||||||
|
domain-needed
|
||||||
|
dhcp-hostsfile=/var/run/xen/dnsmasq.etherfile
|
||||||
|
dhcp-authoritative
|
||||||
|
dhcp-range=$XEN_BRIDGE_IP_RANGE_START,$XEN_BRIDGE_IP_RANGE_END,$XEN_BRIDGE_NETWORK_ADDRESS
|
||||||
|
dhcp-no-override
|
||||||
|
no-ping
|
||||||
|
dhcp-leasefile=/var/run/xen/dnsmasq.leasefile
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# DHCP
|
||||||
|
${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p tcp -s $XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} --sport 68 --dport 67 -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p udp -s $XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} --sport 68 --dport 67 -j ACCEPT
|
||||||
|
# DNS
|
||||||
|
${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p tcp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p udp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
|
${pkgs.bridge-utils}/bin/brctl addbr ${cfg.bridge.name}
|
||||||
|
${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} ${cfg.bridge.address}
|
||||||
|
${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} up
|
||||||
|
'';
|
||||||
|
serviceConfig.ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq --conf-file=/var/run/xen/dnsmasq.conf";
|
||||||
|
postStop = ''
|
||||||
|
${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} down
|
||||||
|
${pkgs.bridge-utils}/bin/brctl delbr ${cfg.bridge.name}
|
||||||
|
|
||||||
|
# DNS
|
||||||
|
${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p udp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p tcp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||||
|
# DHCP
|
||||||
|
${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p udp --sport 68 --dport 67 -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p tcp --sport 68 --dport 67 -j ACCEPT
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user