2009-03-16 23:35:53 +03:00
#!/bin/sh
# Script to set up one of the nodes as a NAT gateway for all other nodes.
# This is used to ensure that all nodes in the cluster can still originate
# traffic to the external network even if there are no public addresses
# available.
#
2013-01-03 08:26:12 +04:00
[ -n "$CTDB_BASE" ] || \
export CTDB_BASE=$(cd -P $(dirname "$0") ; dirname "$PWD")
2009-03-16 23:35:53 +03:00
. $CTDB_BASE/functions
2009-11-19 07:00:17 +03:00
loadconfig
2009-03-16 23:35:53 +03:00
2010-09-08 03:16:42 +04:00
[ -z "$CTDB_NATGW_NODES" ] && exit 0
2013-01-11 09:02:31 +04:00
set_natgw_capability ()
{
# Set NATGW capability depending on configuration
if [ "$CTDB_NATGW_SLAVE_ONLY" = "yes" ] ; then
2010-09-08 03:16:42 +04:00
ctdb setnatgwstate off
2013-01-11 09:02:31 +04:00
else
2010-09-08 03:16:42 +04:00
ctdb setnatgwstate on
2013-01-11 09:02:31 +04:00
fi
}
2009-03-16 23:35:53 +03:00
2009-03-18 11:19:49 +03:00
delete_all() {
2012-07-17 09:21:10 +04:00
_ip="${CTDB_NATGW_PUBLIC_IP%/*}"
_maskbits="${CTDB_NATGW_PUBLIC_IP#*/}"
2010-02-12 12:33:54 +03:00
2010-09-08 03:16:42 +04:00
[ -z "$CTDB_NATGW_PUBLIC_IFACE" ] || {
2013-05-27 06:56:41 +04:00
delete_ip_from_iface $CTDB_NATGW_PUBLIC_IFACE $_ip $_maskbits >/dev/null 2>&1
2010-09-08 03:16:42 +04:00
}
2009-03-18 11:19:49 +03:00
ip route del 0.0.0.0/0 metric 10 >/dev/null 2>/dev/null
# Delete the masquerading setup from a previous iteration where we
# were the NAT-GW
2012-05-23 08:24:40 +04:00
iptables -D POSTROUTING -t nat -s $CTDB_NATGW_PRIVATE_NETWORK ! -d $CTDB_NATGW_PRIVATE_NETWORK -j MASQUERADE >/dev/null 2>/dev/null
2009-03-18 11:19:49 +03:00
2010-06-01 06:43:32 +04:00
# remove any iptables rule we may have on this address
2010-10-08 08:51:44 +04:00
iptables -D INPUT -p tcp --syn -d $_ip/32 -j REJECT 2>/dev/null
2009-03-18 11:19:49 +03:00
}
2012-09-26 08:37:49 +04:00
ensure_natgwmaster ()
{
_event="$1"
set -- $(ctdb natgwlist)
natgwmaster="${1:--1}" # Default is -1 if natgwlist fails
natgwip="$2"
if [ "$natgwmaster" = "-1" ]; then
echo "There is no NATGW master node"
# The recovered event should never fail - we'll catch this
# failure in the monitor event.
if [ "$_event" = "recovered" ] ; then
exit 0
else
exit 1
fi
fi
}
2009-12-01 09:43:47 +03:00
case "$1" in
2013-01-11 09:02:31 +04:00
setup)
set_natgw_capability
;;
2009-11-19 07:00:17 +03:00
startup)
2012-07-17 09:32:38 +04:00
# Error if CTDB_NATGW_PUBLIC_IP is listed in public addresses
grep -q "^$CTDB_NATGW_PUBLIC_IP[[:space:]]" "${CTDB_PUBLIC_ADDRESSES:-/etc/ctdb/public_addresses}" && \
die "ERROR: NATGW configured to use a public address. NATGW must not use a public address."
2010-04-28 02:46:41 +04:00
2009-05-14 02:55:05 +04:00
# do not send out arp requests from loopback addresses
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
;;
2010-08-30 12:08:38 +04:00
recovered|updatenatgw|ipreallocated)
2012-07-17 09:39:50 +04:00
mypnn=$(ctdb pnn | cut -d: -f2)
2009-03-16 23:35:53 +03:00
2013-01-11 09:02:31 +04:00
set_natgw_capability
2012-09-26 08:37:49 +04:00
ensure_natgwmaster "$1"
2009-03-16 23:35:53 +03:00
2009-03-18 11:19:49 +03:00
delete_all
2009-03-16 23:35:53 +03:00
2012-07-17 09:39:50 +04:00
if [ "$mypnn" = "$natgwmaster" ]; then
2012-07-17 14:10:11 +04:00
# This is the NAT GW
2009-03-16 23:35:53 +03:00
echo 1 >/proc/sys/net/ipv4/ip_forward
2012-05-23 08:24:40 +04:00
iptables -A POSTROUTING -t nat -s $CTDB_NATGW_PRIVATE_NETWORK ! -d $CTDB_NATGW_PRIVATE_NETWORK -j MASQUERADE
2010-07-06 11:54:43 +04:00
# block all incoming connections to the natgw address
2012-07-17 09:37:14 +04:00
ctdb_natgw_public_ip_host="${CTDB_NATGW_PUBLIC_IP%/*}/32"
iptables -D INPUT -p tcp --syn -d $ctdb_natgw_public_ip_host -j REJECT 2>/dev/null
iptables -I INPUT -p tcp --syn -d $ctdb_natgw_public_ip_host -j REJECT 2>/dev/null
2010-07-06 11:54:43 +04:00
2009-05-14 02:12:48 +04:00
ip addr add $CTDB_NATGW_PUBLIC_IP dev $CTDB_NATGW_PUBLIC_IFACE
2012-07-24 05:23:09 +04:00
ip route add 0.0.0.0/0 metric 10 via $CTDB_NATGW_DEFAULT_GATEWAY >/dev/null 2>/dev/null
2009-03-16 23:35:53 +03:00
else
2012-07-17 14:10:11 +04:00
# This is NOT the NAT GW
2012-07-17 09:39:50 +04:00
ip route add 0.0.0.0/0 via $natgwip metric 10
2010-11-29 04:39:14 +03:00
# Make sure winbindd does not stay bound to this address
# if we are no longer natgwmaster
smbcontrol winbindd ip-dropped $CTDB_NATGW_PUBLIC_IP >/dev/null 2>/dev/null
2009-03-16 23:35:53 +03:00
fi
2009-03-25 05:37:57 +03:00
# flush our route cache
echo 1 > /proc/sys/net/ipv4/route/flush
2009-03-16 23:35:53 +03:00
;;
2013-02-21 07:17:09 +04:00
shutdown|removenatgw)
2009-03-18 11:19:49 +03:00
delete_all
;;
2012-09-26 08:37:49 +04:00
monitor)
2013-01-11 09:02:31 +04:00
set_natgw_capability
2012-09-26 08:37:49 +04:00
ensure_natgwmaster "$1"
;;
2009-12-01 09:43:47 +03:00
*)
ctdb_standard_event_handler "@"
;;
2009-03-16 23:35:53 +03:00
esac
exit 0