NAT-GW updates. Describe the functionality in the sysconfig file

(This used to be ctdb commit 4c598ab6f8e9b826d437b9ab869c4490f7c4faba)

ctdb/config/ctdb.sysconfig

@@ -128,6 +128,43 @@
 # CTDB_CAPABILITY_RECMASTER=yes
 # CTDB_CAPABILITY_LMASTER=yes
 
+# NAT-GW configuration
+# Some services running on nthe CTDB node may need to originate traffic to
+# remote servers before the node is assigned any IP addresses,
+# This is problematic since before the node has public addresses the node might
+# not be able to route traffic to the public networks.
+# One solution is to have static public addresses assigned with routing
+# in addition to the public address interfaces, thus guaranteeing that
+# a node always can route traffic to the external network.
+# This is the most simple solution but it uses up a large number of 
+# additional ip addresses.
+#
+# A more complex solution is NAT-GW.
+# In this mode we only need one additional ip address for the cluster from
+# the exsternal public network.
+# One of the nodes in the cluster is elected to be hosting this ip address
+# so it can reach the external services. This node is also configured
+# to use NAT MASQUERADING for all traffic from the internal private network
+# to the external network. This node is the NAT-GW node.
+#
+# All other nodes are set up with policy routing so that all traffic with
+# a source address of the private network and a destination outside of
+# the private network are instead routed through the NAT-GW node.
+# 
+# The effect of this is that only when a node does not have a public address
+# or a route to the external network will the node use the private address
+# as the source address and only then will it use the policy routing
+# through the NAT-GW.
+# As long as a node has a public address and can route to the external network
+# the node will always pick the public address as the source address and NAT-GW
+# routing will not be used.
+#NATGW_PUBLIC_IP=10.0.0.227/24
+#NATGW_PUBLIC_IFACE=eth0
+#NATGW_DEFAULT_GATEWAY=10.0.0.1
+#NATGW_PRIVATE_IFACE=eth0
+#NATGW_PRIVATE_NETWORK=10.0.0.0/24
+
+
 # where to log messages
 # the default is /var/log/log.ctdb
 # CTDB_LOGFILE=/var/log/log.ctdb

ctdb/config/events.d/11.natgw

@@ -0,0 +1,79 @@
+#!/bin/sh
+# Script to set up one of the nodes as a NAT gateway for all other nodes.
+# This is used to ensure that all nodes in the cluster can still originate
+# traffic to the external network even if there are no public addresses
+# available.
+#
+
+. $CTDB_BASE/functions
+loadconfig ctdb
+
+[ -z "$NATGW_PUBLIC_INTERFACE" ] && exit 0
+
+cmd="$1"
+shift
+PATH=/usr/bin:/bin:/usr/sbin:/sbin:$PATH
+
+case $cmd in 
+     recovered)
+	MYPNN=`ctdb pnn | cut -d: -f2`
+
+	# Find the first connected node
+	FIRST=`ctdb status -Y | grep ":0:$" | head -1`
+	FIRSTNODE=`echo $FIRST | cut -d: -f2`
+	FIRSTIP=`echo $FIRST | cut -d: -f3`
+
+	# Delete everything that might have been set in a previous iteration
+	# when we were not the NAT-GW
+	ip rule del fwmark 11 table 11 >/dev/null 2>/dev/null
+	iptables -D OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MARK --set-mark 11 >/dev/null 2>/dev/null
+	iptables -D OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -p tcp --sport 22 -j ACCEPT >/dev/null 2>/dev/null
+	ip route del $NATGW_PRIVATE_NETWORK dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null
+	ip route del 0.0.0.0/0 dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null
+
+	# Delete the masquerading setup from a previous iteration where we
+	# was the NAT-GW
+	iptables -D POSTROUTING -t nat -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MASQUERADE >/dev/null 2>/dev/null
+	ip addr del $NATGW_PUBLIC_IP dev $NATGW_PUBLIC_IFACE >/dev/null 2>/dev/null
+
+	if [ "$FIRSTNODE" == "$MYPNN" ]; then
+		# This is the first node, set it up as the NAT GW
+		echo 1 >/proc/sys/net/ipv4/ip_forward
+		iptables -A POSTROUTING -t nat -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MASQUERADE
+		ip addr add $NATGW_PUBLIC_IP dev $NATGW_PUBLIC_IFACE
+		ip route add 0.0.0.0/0 via $NATGW_DEFAULT_GATEWAY >/dev/null 2>/dev/null
+	else
+		# This is not the NAT-GW
+		# We now need to set up a separate routing table for
+		# all traffic we originate and with a destination that is
+		# outside of the local private network and route these 
+		# packets via the NAT-GW
+
+
+		# Mark all outgoing packets that have the private address
+		# as source address with fwmarker 11
+		# We expect that the only time the the source address will be
+		# selected as the private address would be when there are
+		# no static or public addresses assigned at all to the node.
+		# Othervise the routing would have picked a different address.
+		#
+		# Except for traffic to the ssh daemon, so that it is easier
+		# to test in the lab without disrupting the ssh sessions
+		iptables -A OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -p tcp --sport 22 -j ACCEPT
+		iptables -A OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MARK --set-mark 11
+
+
+		# create a routing table for the natgw traffic and set it
+		# up with both an interface toute for the private network
+		# as well as a default route that goes via the NAT-GW
+		ip route add $NATGW_PRIVATE_NETWORK dev $NATGW_PRIVATE_IFACE table 11
+		ip route add 0.0.0.0/0 via $FIRSTIP dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null
+
+		# Create a rule to use routing table 11 for these packets
+		ip rule add fwmark 11 table 11
+	fi
+	;;
+
+esac
+
+exit 0