From: Ian Jackson <ian@samual8>
Date: Wed, 27 Sep 2006 14:28:41 +0000 (+0100)
Subject: Scripts from /etc
X-Git-Tag: converted-from-bzr~64^2~14
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=2202ee6fc0c035abb1ea2337b7957e4a683252fd;p=autopkgtest.git

Scripts from /etc
---

diff --git a/etc--default--adt-xen b/etc--default--adt-xen
new file mode 100644
index 0000000..393185d
--- /dev/null
+++ b/etc--default--adt-xen
@@ -0,0 +1,4 @@
+LOCAL_MIRROR_IPS='172.18.45.6'
+LOCAL_CLIENT_IPS='172.18.45.97 172.18.45.6'
+LOCAL_NETWORKS='192.168.0.0/24 172.16.0.0/12 10.0.0.0/8'
+ALLOW_GLOBAL_HTTP=y
\ No newline at end of file
diff --git a/etc--init.d--adt-xen b/etc--init.d--adt-xen
new file mode 100755
index 0000000..eb040a5
--- /dev/null
+++ b/etc--init.d--adt-xen
@@ -0,0 +1,122 @@
+#!/bin/sh
+
+set -e
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+default=/etc/default/adt-xen
+if test -f $default; then
+  . $default
+fi
+
+chains='AdtXenIn AdtXenFwd AdtXenIcmp'
+
+if ! type iptables >/dev/null 2>&1 || ! type xm >/dev/null 2>&1; then
+  exit 0
+fi
+
+safety () {
+  iptables -I INPUT -j DROP
+  iptables -I FORWARD -j DROP
+  trap '
+    for chain in $chains; do iptables -I $chain -j DROP; done
+    unsafety
+    exit 127
+  ' 0
+}
+
+unsafety () {
+  iptables -D INPUT -j DROP
+  iptables -D FORWARD -j DROP
+  trap '' 0
+}
+
+case "$1" in
+stop)
+  safety
+  for chain in $chains; do
+    if iptables -L $chain >/dev/null 2>&1; then
+      iptables -F $chain
+      iptables -X $chain
+    fi
+  done
+  unsafety
+  exit 0
+  ;;
+start|restart|force-reload)
+  ;;
+'')
+  echo >&2 "usage: /etc/init.d/adt-xen stop|start|restart|force-reload"
+  exit 1
+  ;;
+*)
+  echo >&2 "init.d/adt-xen unsupported action $1"
+  exit 1
+  ;;
+esac
+
+safety
+for chain in $chains; do
+  iptables -N $chain >/dev/null 2>&1 || iptables -F $chain
+  iptables -I $chain -j DROP
+done
+unsafety
+
+iptables -A AdtXenIcmp -j ACCEPT -p icmp --icmp-type echo-request
+# per RFC1122, allow ICMP echo exchanges with anyone we can talk to at all
+
+for oktype in					\
+	echo-reply				\
+	destination-unreachable source-quench	\
+	time-exceeded parameter-problem		\
+;do
+  iptables -A AdtXenIcmp -j ACCEPT -m conntrack --ctstate ESTABLISHED \
+		-p icmp --icmp-type  $oktype
+done
+
+main=AdtXenFwd
+
+for i in $LOCAL_MIRROR_IPS; do
+  iptables -A $main -d $i -j ACCEPT -p tcp --dport 80
+  iptables -A $main -d $i -j AdtXenIcmp -p icmp
+done
+
+exec </etc/resolv.conf
+while read command rest; do
+  if [ "x$command" = "xnameserver" ]; then
+    iptables -A $main -d $rest -j ACCEPT -p tcp --dport 53
+    iptables -A $main -d $rest -j ACCEPT -p udp --dport 53
+    iptables -A $main -d $rest -j AdtXenIcmp -p icmp
+  fi
+done
+
+for i in $LOCAL_CLIENT_IPS; do
+  iptables -A $main -d $i -j ACCEPT -p tcp ! --syn
+  iptables -A $main -d $i -j AdtXenIcmp -p icmp
+done
+
+for i in $LOCAL_NETWORKS; do
+  iptables -A $main -d $i -j REJECT --reject-with icmp-net-prohibited
+done
+
+case "$ALLOW_GLOBAL_HTTP" in
+y*|1*|t*) 
+  iptables -A $main -p tcp --dport 80 -j ACCEPT
+  iptables -A $main -p icmp -j AdtXenIcmp
+  ;;
+esac
+
+if test -f $default-rules; then
+  . $default-rules
+fi
+
+iptables -A $main -j REJECT --reject-with icmp-admin-prohibited
+iptables -A $main -j ACCEPT
+iptables -D $main -j DROP
+
+iptables -A AdtXenIn -j ACCEPT -p icmp --icmp-type echo-request
+iptables -A AdtXenIn -j ACCEPT -m conntrack --ctstate ESTABLISHED
+iptables -A AdtXenIn -j AdtXenFwd
+iptables -D AdtXenIn -j DROP
+
+echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp 
diff --git a/vif-route-adt b/vif-route-adt
new file mode 100755
index 0000000..41ec6a0
--- /dev/null
+++ b/vif-route-adt
@@ -0,0 +1,66 @@
+#!/bin/bash -e
+#============================================================================
+# /etc/xen/vif-route
+#
+# Script for configuring a vif in routed mode.
+# The hotplugging system will call this script if it is specified either in
+# the device configuration given to Xend, or the default Xend configuration
+# in /etc/xen/xend-config.sxp.  If the script is specified in neither of those
+# places, then vif-bridge is the default.
+#
+# Usage:
+# vif-route (add|remove|online|offline)
+#
+# Environment vars:
+# vif         vif interface name (required).
+# XENBUS_PATH path to this device's details in the XenStore (required).
+#
+# Read from the store:
+# ip      list of IP networks for the vif, space-separated (default given in
+#         this script).
+#============================================================================
+
+exec 2>>/var/log/xen-hotplug.log
+set -x
+case $0 in */*) dir=${0%/*};; *) dir=.;; esac
+. "$dir/vif-common.sh"
+
+main_ip=$(dom0_ip)
+
+case "$command" in
+    online)
+        ifconfig ${vif} ${main_ip} netmask 255.255.255.255 \
+		broadcast ${main_ip} up
+	ip -f inet6 addr delete dev ${vif} local fe80::fcff:ffff:feff:ffff/64
+	ip -f inet neigh add \
+	    to 172.18.45.66 \
+	    dev ${vif} \
+	    lladdr 00:16:3e:7c:aa:7f \
+	    nud permanent
+	arp -i ${vif} -s 172.18.45.66 00:16:3e:7c:aa:7f pub
+        ipcmd='a'
+	iptcmd='-A'
+        ;;
+    offline)
+        ifdown ${vif}
+        ipcmd='d'
+	iptcmd='-D'
+        ;;
+esac
+
+iptables "$iptcmd" INPUT -i "$vif" -j AdtXenIn
+iptables "$iptcmd" FORWARD -i "$vif" -j AdtXenFwd
+
+if [ "${ip}" ] ; then
+    # If we've been given a list of IP addresses, then add routes from dom0 to
+    # the guest using those addresses.
+    for addr in ${ip} ; do
+      ip r ${ipcmd} ${addr} dev ${vif} src ${main_ip}
+    done 
+fi
+
+#S log debug "Successful vif-route $command for $vif."
+if [ "$command" == "online" ]
+then
+  success
+fi