ctdb-scripts: Make 70.iscsi IPv6-aware

Block iSCSI port for families of all address the node is configured to
host.

Could just unconditional add blocking using ip6tables instead.
However, this would produce errors when no IPv6 public addresses are
configured and ip6tables is not installed.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb/config/events.d/70.iscsi

@@ -21,9 +21,28 @@ is_ctdb_managed_service || exit 0
 
 case "$1" in 
     ipreallocated)
-	# block the iscsi port
-	iptables -I INPUT 1 -p tcp --dport 3260 -j DROP
-	
+	all_ips=$(ctdb -X ip | tail -n +2)
+
+	# Block the iSCSI port.  Only block for the address families
+	# we have configured.  This copes with, for example, ip6tables
+	# being unavailable on an IPv4-only system.
+	have_ipv4=false
+	have_ipv6=false
+	while IFS='|' read x ip pnn x ; do
+	    case "$ip" in
+		*:*) have_ipv6=true ;;
+		*)   have_ipv4=true ;;
+		esac
+	done <<EOF
+$all_ips
+EOF
+	if $have_ipv4 ; then
+	    iptables -I INPUT 1 -p tcp --dport 3260 -j DROP
+	fi
+	if $have_ipv6 ; then
+	    ip6tables -I INPUT 1 -p tcp --dport 3260 -j DROP
+	fi
+
 	# shut down the iscsi service
 	killall -9 tgtd >/dev/null 2>/dev/null
 
@@ -36,7 +55,8 @@ case "$1" in
 	# start the iscsi daemon
 	tgtd >/dev/null 2>/dev/null
 
-	ips=$(ctdb -X ip | awk -F'|' -v pnn=$this_node '$3 == pnn {print $2}')
+	# Run a script for each currently hosted public IP address
+	ips=$(echo "$all_ips" | awk -F'|' -v pnn=$this_node '$3 == pnn {print $2}')
 	for ip in $ips ; do
 	    script="${CTDB_START_ISCSI_SCRIPTS}/${ip}.sh"
 	    if [ -x "$script" ] ; then
@@ -45,10 +65,14 @@ case "$1" in
 	    fi
 	done
 
-	# remove all iptables rules
+	# Unblock iSCSI port.  These can be unconditional (compared to
+	# blocking above), since errors are redirected.
 	while iptables -D INPUT -p tcp --dport 3260 -j DROP >/dev/null 2>&1 ; do
 	    :
 	done
+	while ip6tables -D INPUT -p tcp --dport 3260 -j DROP >/dev/null 2>&1 ; do
+	    :
+	done
 
 	;;