ebtables for EC2-like metadata server on 169.254.169.254 AND bridge

May. 20th, 2017 09:32 pm
robbat2: (Default)
<>Playing with the concepts around Cloud metadata services, specifically those that are network-based, rather than the ConfigDrive or serial port variants.

EC2 ensures that 169.254.169.254 is magically provide your instance with your data, and it won't be accessible to another instance. This is trivial to achieve if your instances are using routed or tap network; but is more complex if you are on a bridged network: the client will try to send the packets for 169.254.169.254 to the MAC of the default gateway.

So far I can force bridged packets that would otherwise be headed for the gateway to be routed locally (and put 169.254.169.254/32 locally on the host). I don't have a good way to associate the packets with a specific instance yet. Using kernel packet marks work, but isn't really scalable. Main requirement is that a simple web service should be able to uniquely identify the client, even if they try to spoof themselves (learn mac+IP of another instance on the same hypervisor & bridge, and ask for it's metadata from the wrong interface)

Variant 1

  ebtables -t nat -N metadata || ebtables -t nat -F metadata
for i in $(seq 0 20) ; do
   ebtables -t nat -A metadata -i vnet$i -j mark --mark-set $((256+$i)) --mark-target CONTINUE
done
ebtables -t broute -A metadata --limit 10/minute --limit-burst 2 --log --log-level debug --log-prefix "ebtables metadata" --log-ip
ebtables -t nat -A metadata -j redirect
ebtables -t nat -F PREROUTING
ebtables -t nat -A PREROUTING -p IPv4 --logical-in br0 --ip-src 169.254.169.254 -j metadata
ebtables -t nat -A PREROUTING -p IPv4 --logical-in br0 --ip-dst 169.254.169.254 -j metadata

Variant 2

ebtables -t broute -N metadata || ebtables -t broute -F metadata
ebtables -t broute -F BROUTING
ebtables -t broute -A BROUTING -p IPv4 --ip-src 169.254.169.254 -j metadata
ebtables -t broute -A BROUTING -p IPv4 --ip-dst 169.254.169.254 -j metadata
ebtables -t broute -A metadata --limit 10/minute --limit-burst 2 --log --log-level debug --log-prefix "ebtables metadata" --log-ip
# Repeat the marks if you want them.
ebtables -t broute -A metadata -j redirect
Tags:

Useful and complex /etc/conf.d/net setups (In support of USE=oldnet)

Oct. 17th, 2009 02:53 am
robbat2: (Default)

I've been prodding at the concept of the new network script in OpenRC-0.5, and I'm at a loss to try and see why Roy has decided to toss the old network config system away. The new system doesn't have a lot of capabilities, and most significantly totally loses the ability to restart a single interface without affecting the rest of the system. If it's just for a rewrite, then I'm not too worried, but unless all the functionality is still there, I'm worried we are going to move backwards with it.

At the same time, I don't think many people are aware of how powerful the "old" network configuration mechanism is. The net.examples file is only the start, once you start mixing in the pre/post calls, there's a lot of power. It's capable of some feats that I don't see used even in certain parts of the Gentoo documentation[1]. I've put together some of my gems of conf.d/net, and if you have some, I'd love to hear them. Leave a comment or email me the scripts, along with a description.

Configurations available
  • Easy to maintain HE.net (Hurricane Electric) IPv6 tunnels - Download
  • Running two ISPs at home (basic multi-homing) - Download
  • "Enterprise" multi-homing setup, with 4 paths to the Internet - Download
Hosting

I've also started a bit of storage in my Gentoo webspace for these collected works of network configuration, with a bit more documentation.

Notes
  1. The Gentoo docs have this for IPv6: Gentoo IPv6 Router Guide, Tunnel Configuration. You could bring it up manually, or you could just take the IPv6 config above and use it straight with your variables filled in. Volunteers welcome to help merge that config into the Gentoo IPv6 documentation.
Tags:

Dear Lazyweb: Linksys SRW2016/2024 VLAN functionality

Aug. 12th, 2008 11:24 pm
robbat2: (Default)

Dear Lazyweb,
To avoid a repeat of my previous snafu with a Dell PowerConnect 2716 - in which I found that the VLAN functionality didn't work properly with broadcast packets (esp DHCP requests) to my cable modem.

Specifically, I'd love to replace my need for having a separate switch for my external segment vs. my internal segment, with a single switch and two/three VLANs. I tried to do it with the Dell switch, but found disastrously that it just didn't pass the broadcast packets at all :-(. On the plus side, the Dell switch did get me the jumbo frames that I wanted.

So, does anybody have a Linksys SRW2016 or SRW2024 and can report on how well they work with DHCP packets over VLAN-segregated networks?

  • Current Music: Magic System - Ki Dit MiĆ©
Tags:

Profile

robbat2: (Default)
robbat2
Orbis-Terrarum Networks: Robbat2 resume

May 2017

S M T W T F S
 123456
78910111213
141516171819 20
21222324252627
28293031   

Syndicate

RSS Atom

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags