32 lines
1.2 KiB
Bash
Executable File
32 lines
1.2 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Idempotently build an IPTables chain which will filter to only permitted MAC
|
|
# addresses, on incoming BOOTP requests on the control plane interface.
|
|
|
|
set -eux
|
|
|
|
INTERFACE=br-ctlplane
|
|
. /root/stackrc
|
|
MACS=$(for node in $(nova baremetal-node-list | grep -v '+\|ID' | awk ' { print $2 } '); do nova baremetal-interface-list $node | awk '/:/ { print $8}' ; done)
|
|
|
|
# In case this script crashed earlier, flush, unlink and delete the temp chain.
|
|
iptables -F FILTERBOOTPSNEW || true
|
|
iptables -D INPUT -i $INTERFACE -p udp --dport 67 -j FILTERBOOTPSNEW || true
|
|
iptables -X FILTERBOOTPSNEW || true
|
|
iptables -N FILTERBOOTPSNEW
|
|
# Build the chain we want.
|
|
for MAC in $MACS; do
|
|
iptables -A FILTERBOOTPSNEW -m mac --mac-source $MAC -j ACCEPT
|
|
done
|
|
# Drop rather than reject as this is a broadcast protocol: we'd just be
|
|
# creating noise on the network.
|
|
iptables -A FILTERBOOTPSNEW -j DROP
|
|
# Link it in.
|
|
iptables -I INPUT -i $INTERFACE -p udp --dport 67 -j FILTERBOOTPSNEW
|
|
# Delete the old chain if present.
|
|
iptables -F FILTERBOOTPS || true
|
|
iptables -D INPUT -i $INTERFACE -p udp --dport 67 -j FILTERBOOTPS || true
|
|
iptables -X FILTERBOOTPS || true
|
|
# Rename the new chain into permanence.
|
|
iptables -E FILTERBOOTPSNEW FILTERBOOTPS
|