2 # Script to set up one of the nodes as a NAT gateway for all other nodes.
3 # This is used to ensure that all nodes in the cluster can still originate
4 # traffic to the external network even if there are no public addresses
8 [ -n "$CTDB_BASE" ] || \
9 export CTDB_BASE
=$
(cd -P $
(dirname "$0") ; dirname "$PWD")
11 .
$CTDB_BASE/functions
14 [ -n "$CTDB_NATGW_NODES" ] ||
exit 0
15 export CTDB_NATGW_NODES
19 [ -r "$CTDB_NATGW_NODES" ] || \
20 die
"error: CTDB_NATGW_NODES=${CTDB_NATGW_NODES} unreadable"
21 if [ "$CTDB_NATGW_SLAVE_ONLY" != "yes" ] ; then
22 [ -n "$CTDB_NATGW_PUBLIC_IP" ] || \
23 die
"Invalid configuration: CTDB_NATGW_PUBLIC_IP not set"
24 [ -n "$CTDB_NATGW_PUBLIC_IFACE" ] || \
25 die
"Invalid configuration: CTDB_NATGW_PUBLIC_IFACE not set"
27 [ -n "$CTDB_NATGW_PRIVATE_NETWORK" ] || \
28 die
"Invalid configuration: CTDB_NATGW_PRIVATE_NETWORK not set"
30 # The default is to create a single default route
31 [ -n "$CTDB_NATGW_STATIC_ROUTES" ] || CTDB_NATGW_STATIC_ROUTES
="0.0.0.0/0"
34 natgw_set_capability
()
36 # Set NATGW capability depending on configuration
37 if [ "$CTDB_NATGW_SLAVE_ONLY" = "yes" ] ; then
38 ctdb setnatgwstate off
46 _ip
="${CTDB_NATGW_PUBLIC_IP%/*}"
47 _maskbits
="${CTDB_NATGW_PUBLIC_IP#*/}"
49 delete_ip_from_iface \
50 $CTDB_NATGW_PUBLIC_IFACE $_ip $_maskbits >/dev
/null
2>&1
51 for _net_gw
in $CTDB_NATGW_STATIC_ROUTES ; do
53 ip route del
"$_net" metric
10 >/dev
/null
2>/dev
/null
56 # Delete the masquerading setup from a previous iteration where we
58 iptables
-D POSTROUTING
-t nat \
59 -s $CTDB_NATGW_PRIVATE_NETWORK ! -d $CTDB_NATGW_PRIVATE_NETWORK \
60 -j MASQUERADE
>/dev
/null
2>/dev
/null
62 iptables
-D INPUT
-p tcp
--syn -d $_ip/32 -j REJECT
2>/dev
/null
67 set_proc sys
/net
/ipv
4/ip_forward
1
68 iptables
-A POSTROUTING
-t nat \
69 -s $CTDB_NATGW_PRIVATE_NETWORK ! -d $CTDB_NATGW_PRIVATE_NETWORK \
72 # block all incoming connections to the NATGW IP address
73 ctdb_natgw_public_ip_host
="${CTDB_NATGW_PUBLIC_IP%/*}/32"
74 iptables
-D INPUT
-p tcp
--syn \
75 -d $ctdb_natgw_public_ip_host -j REJECT
2>/dev
/null
76 iptables
-I INPUT
-p tcp
--syn \
77 -d $ctdb_natgw_public_ip_host -j REJECT
2>/dev
/null
79 ip addr add
$CTDB_NATGW_PUBLIC_IP dev
$CTDB_NATGW_PUBLIC_IFACE
80 for _net_gw
in $CTDB_NATGW_STATIC_ROUTES ; do
82 if [ "$_net" != "$_net_gw" ] ; then
85 _gw
="$CTDB_NATGW_DEFAULT_GATEWAY"
88 [ -n "$_gw" ] ||
continue
89 ip route add
"$_net" metric
10 via
"$_gw"
97 for _net_gw
in $CTDB_NATGW_STATIC_ROUTES ; do
99 ip route add
"$_net" via
"$_natgwip" metric
10
102 # Make sure winbindd does not stay bound to this address if we are
103 # no longer NATGW master
104 smbcontrol winbindd ip-dropped
$CTDB_NATGW_PUBLIC_IP >/dev
/null
2>&1
107 natgw_ensure_master
()
111 set -- $
(ctdb natgwlist
)
112 natgwmaster
="${1:--1}" # Default is -1 if natgwlist fails
115 if [ "$natgwmaster" = "-1" ]; then
117 die
"There is no NATGW master node"
130 # Error if CTDB_NATGW_PUBLIC_IP is listed in public addresses
131 ip_pat
=$
(echo "$CTDB_NATGW_PUBLIC_IP" |
sed -e 's@\.@\\.@g')
132 if grep -q "^${ip_pat}[[:space:]]" \
133 "${CTDB_PUBLIC_ADDRESSES:-${CTDB_BASE}/public_addresses}" ; then
134 die
"ERROR: CTDB_NATGW_PUBLIC_IP same as a public address"
137 # do not send out arp requests from loopback addresses
138 set_proc sys
/net
/ipv
4/conf
/all
/arp_announce
2
141 updatenatgw|ipreallocated
)
144 mypnn
=$
(ctdb pnn | cut
-d: -f2)
147 natgw_ensure_master
"$1"
151 if [ "$mypnn" = "$natgwmaster" ]; then
154 natgw_set_slave
"$natgwip"
157 # flush our route cache
158 set_proc sys
/net
/ipv
4/route
/flush
1
161 shutdown|removenatgw
)
169 natgw_ensure_master
"$1"
173 ctdb_standard_event_handler
"@"