ctdb/config/events.d/11.natgw

   1 #!/bin/sh
   2 # Script to set up one of the nodes as a NAT gateway for all other nodes.
   3 # This is used to ensure that all nodes in the cluster can still originate
   4 # traffic to the external network even if there are no public addresses
   5 # available.
   6 #
   7
   8 [ -n "$CTDB_BASE" ] || \
   9     export CTDB_BASE=$(cd -P $(dirname "$0") ; dirname "$PWD")
  10
  11 . $CTDB_BASE/functions
  12 loadconfig
  13
  14 [ -n "$CTDB_NATGW_NODES" ] || exit 0
  15 export CTDB_NATGW_NODES
  16
  17 natgw_check_config ()
  18 {
  19     [ -r "$CTDB_NATGW_NODES" ] || \
  20         die "error: CTDB_NATGW_NODES=${CTDB_NATGW_NODES} unreadable"
  21     if [ "$CTDB_NATGW_SLAVE_ONLY" != "yes" ] ; then
  22         [ -n "$CTDB_NATGW_PUBLIC_IP" ] || \
  23             die "Invalid configuration: CTDB_NATGW_PUBLIC_IP not set"
  24         [ -n "$CTDB_NATGW_PUBLIC_IFACE" ] || \
  25             die "Invalid configuration: CTDB_NATGW_PUBLIC_IFACE not set"
  26     fi
  27     [ -n "$CTDB_NATGW_PRIVATE_NETWORK" ] || \
  28         die "Invalid configuration: CTDB_NATGW_PRIVATE_NETWORK not set"
  29
  30     # The default is to create a single default route
  31     [ -n "$CTDB_NATGW_STATIC_ROUTES" ] || CTDB_NATGW_STATIC_ROUTES="0.0.0.0/0"
  32 }
  33
  34 natgw_set_capability ()
  35 {
  36     # Set NATGW capability depending on configuration
  37     if [ "$CTDB_NATGW_SLAVE_ONLY" = "yes" ] ; then
  38         ctdb setnatgwstate off
  39     else
  40         ctdb setnatgwstate on
  41     fi
  42 }
  43
  44 natgw_clear ()
  45 {
  46     _ip="${CTDB_NATGW_PUBLIC_IP%/*}"
  47     _maskbits="${CTDB_NATGW_PUBLIC_IP#*/}"
  48
  49     delete_ip_from_iface \
  50         $CTDB_NATGW_PUBLIC_IFACE $_ip $_maskbits >/dev/null 2>&1
  51     for _net_gw in $CTDB_NATGW_STATIC_ROUTES ; do
  52         _net="${_net_gw%@*}"
  53         ip route del "$_net" metric 10 >/dev/null 2>/dev/null
  54     done
  55
  56     # Delete the masquerading setup from a previous iteration where we
  57     # were the NAT-GW
  58     iptables -D POSTROUTING -t nat \
  59         -s $CTDB_NATGW_PRIVATE_NETWORK ! -d $CTDB_NATGW_PRIVATE_NETWORK \
  60         -j MASQUERADE >/dev/null 2>/dev/null
  61
  62     iptables -D INPUT -p tcp --syn -d $_ip/32 -j REJECT 2>/dev/null
  63 }
  64
  65 natgw_set_master ()
  66 {
  67     set_proc sys/net/ipv4/ip_forward 1
  68     iptables -A POSTROUTING -t nat \
  69         -s $CTDB_NATGW_PRIVATE_NETWORK ! -d $CTDB_NATGW_PRIVATE_NETWORK \
  70         -j MASQUERADE
  71
  72     # block all incoming connections to the NATGW IP address
  73     ctdb_natgw_public_ip_host="${CTDB_NATGW_PUBLIC_IP%/*}/32"
  74     iptables -D INPUT -p tcp --syn \
  75         -d $ctdb_natgw_public_ip_host -j REJECT 2>/dev/null
  76     iptables -I INPUT -p tcp --syn \
  77         -d $ctdb_natgw_public_ip_host -j REJECT 2>/dev/null
  78
  79     ip addr add $CTDB_NATGW_PUBLIC_IP dev $CTDB_NATGW_PUBLIC_IFACE
  80     for _net_gw in $CTDB_NATGW_STATIC_ROUTES ; do
  81         _net="${_net_gw%@*}"
  82         if [ "$_net" != "$_net_gw" ] ; then
  83             _gw="${_net_gw#*@}"
  84         else
  85             _gw="$CTDB_NATGW_DEFAULT_GATEWAY"
  86         fi
  87
  88         [ -n "$_gw" ] || continue
  89         ip route add "$_net" metric 10 via "$_gw"
  90     done
  91 }
  92
  93 natgw_set_slave ()
  94 {
  95     _natgwip="$1"
  96
  97     for _net_gw in $CTDB_NATGW_STATIC_ROUTES ; do
  98         _net="${_net_gw%@*}"
  99         ip route add "$_net" via "$_natgwip" metric 10
 100     done
 101
 102     # Make sure winbindd does not stay bound to this address if we are
 103     # no longer NATGW master
 104     smbcontrol winbindd ip-dropped $CTDB_NATGW_PUBLIC_IP >/dev/null 2>&1
 105 }
 106
 107 natgw_ensure_master ()
 108 {
 109     _event="$1"
 110
 111     set -- $(ctdb natgwlist)
 112     natgwmaster="${1:--1}" # Default is -1 if natgwlist fails
 113     natgwip="$2"
 114
 115     if [ "$natgwmaster" = "-1" ]; then
 116         # Fail...
 117         die "There is no NATGW master node"
 118     fi
 119 }
 120
 121 case "$1" in
 122     setup)
 123         natgw_check_config
 124         natgw_set_capability
 125         ;;
 126
 127     startup)
 128         natgw_check_config
 129
 130         # Error if CTDB_NATGW_PUBLIC_IP is listed in public addresses
 131         ip_pat=$(echo "$CTDB_NATGW_PUBLIC_IP" | sed -e 's@\.@\\.@g')
 132         if grep -q "^${ip_pat}[[:space:]]" \
 133             "${CTDB_PUBLIC_ADDRESSES:-${CTDB_BASE}/public_addresses}" ; then
 134             die "ERROR: CTDB_NATGW_PUBLIC_IP same as a public address"
 135         fi
 136
 137         # do not send out arp requests from loopback addresses
 138         set_proc sys/net/ipv4/conf/all/arp_announce 2
 139         ;;
 140
 141     updatenatgw|ipreallocated)
 142         natgw_check_config
 143
 144         mypnn=$(ctdb pnn | cut -d: -f2)
 145
 146         natgw_set_capability
 147         natgw_ensure_master "$1"
 148
 149         natgw_clear
 150
 151         if [ "$mypnn" = "$natgwmaster" ]; then
 152             natgw_set_master
 153         else
 154             natgw_set_slave "$natgwip"
 155         fi
 156
 157         # flush our route cache
 158         set_proc sys/net/ipv4/route/flush 1
 159         ;;
 160
 161     shutdown|removenatgw)
 162         natgw_check_config
 163         natgw_clear
 164         ;;
 165
 166     monitor)
 167         natgw_check_config
 168         natgw_set_capability
 169         natgw_ensure_master "$1"
 170         ;;
 171
 172     *)
 173         ctdb_standard_event_handler "@"
 174         ;;
 175 esac
 176
 177 exit 0