ctdb/config/events.d/11.natgw

   1 #!/bin/sh
   2 # Script to set up one of the nodes as a NAT gateway for all other nodes.
   3 # This is used to ensure that all nodes in the cluster can still originate
   4 # traffic to the external network even if there are no public addresses
   5 # available.
   6 #
   7
   8 [ -n "$CTDB_BASE" ] || \
   9     export CTDB_BASE=$(cd -P $(dirname "$0") ; dirname "$PWD")
  10
  11 . $CTDB_BASE/functions
  12 loadconfig
  13
  14 [ -n "$CTDB_NATGW_NODES" ] || exit 0
  15 export CTDB_NATGW_NODES
  16
  17 natgw_check_config ()
  18 {
  19     [ -r "$CTDB_NATGW_NODES" ] || \
  20         die "error: CTDB_NATGW_NODES=${CTDB_NATGW_NODES} unreadable"
  21     [ -n "$CTDB_NATGW_PUBLIC_IP" ] || \
  22         die "Invalid configuration: CTDB_NATGW_PUBLIC_IP not set"
  23     [ -n "$CTDB_NATGW_PUBLIC_IFACE" ] || \
  24         die "Invalid configuration: CTDB_NATGW_PUBLIC_IFACE not set"
  25     [ -n "$CTDB_NATGW_PRIVATE_NETWORK" ] || \
  26         die "Invalid configuration: CTDB_NATGW_PRIVATE_NETWORK not set"
  27 }
  28
  29 natgw_set_capability ()
  30 {
  31     # Set NATGW capability depending on configuration
  32     if [ "$CTDB_NATGW_SLAVE_ONLY" = "yes" ] ; then
  33         ctdb setnatgwstate off
  34     else
  35         ctdb setnatgwstate on
  36     fi
  37 }
  38
  39 natgw_clear ()
  40 {
  41     _ip="${CTDB_NATGW_PUBLIC_IP%/*}"
  42     _maskbits="${CTDB_NATGW_PUBLIC_IP#*/}"
  43
  44     delete_ip_from_iface \
  45         $CTDB_NATGW_PUBLIC_IFACE $_ip $_maskbits >/dev/null 2>&1
  46     ip route del 0.0.0.0/0 metric 10 >/dev/null 2>/dev/null
  47
  48     # Delete the masquerading setup from a previous iteration where we
  49     # were the NAT-GW
  50     iptables -D POSTROUTING -t nat \
  51         -s $CTDB_NATGW_PRIVATE_NETWORK ! -d $CTDB_NATGW_PRIVATE_NETWORK \
  52         -j MASQUERADE >/dev/null 2>/dev/null
  53
  54     iptables -D INPUT -p tcp --syn -d $_ip/32 -j REJECT 2>/dev/null
  55 }
  56
  57 natgw_set_master ()
  58 {
  59     set_proc sys/net/ipv4/ip_forward 1
  60     iptables -A POSTROUTING -t nat \
  61         -s $CTDB_NATGW_PRIVATE_NETWORK ! -d $CTDB_NATGW_PRIVATE_NETWORK \
  62         -j MASQUERADE
  63
  64     # block all incoming connections to the NATGW IP address
  65     ctdb_natgw_public_ip_host="${CTDB_NATGW_PUBLIC_IP%/*}/32"
  66     iptables -D INPUT -p tcp --syn \
  67         -d $ctdb_natgw_public_ip_host -j REJECT 2>/dev/null
  68     iptables -I INPUT -p tcp --syn \
  69         -d $ctdb_natgw_public_ip_host -j REJECT 2>/dev/null
  70
  71     ip addr add $CTDB_NATGW_PUBLIC_IP dev $CTDB_NATGW_PUBLIC_IFACE
  72     ip route add 0.0.0.0/0 metric 10 via $CTDB_NATGW_DEFAULT_GATEWAY >/dev/null 2>/dev/null
  73 }
  74
  75 natgw_set_slave ()
  76 {
  77     _natgwip="$1"
  78
  79     ip route add 0.0.0.0/0 via "$_natgwip" metric 10
  80
  81     # Make sure winbindd does not stay bound to this address if we are
  82     # no longer NATGW master
  83     smbcontrol winbindd ip-dropped $CTDB_NATGW_PUBLIC_IP >/dev/null 2>&1
  84 }
  85
  86 natgw_ensure_master ()
  87 {
  88     _event="$1"
  89
  90     set -- $(ctdb natgwlist)
  91     natgwmaster="${1:--1}" # Default is -1 if natgwlist fails
  92     natgwip="$2"
  93
  94     if [ "$natgwmaster" = "-1" ]; then
  95         # Fail...
  96         die "There is no NATGW master node"
  97     fi
  98 }
  99
 100 case "$1" in
 101     setup)
 102         natgw_check_config
 103         natgw_set_capability
 104         ;;
 105
 106     startup)
 107         natgw_check_config
 108
 109         # Error if CTDB_NATGW_PUBLIC_IP is listed in public addresses
 110         ip_pat=$(echo "$CTDB_NATGW_PUBLIC_IP" | sed -e 's@\.@\\.@g')
 111         if grep -q "^${ip_pat}[[:space:]]" \
 112             "${CTDB_PUBLIC_ADDRESSES:-${CTDB_BASE}/public_addresses}" ; then
 113             die "ERROR: CTDB_NATGW_PUBLIC_IP same as a public address"
 114         fi
 115
 116         # do not send out arp requests from loopback addresses
 117         set_proc sys/net/ipv4/conf/all/arp_announce 2
 118         ;;
 119
 120     updatenatgw|ipreallocated)
 121         natgw_check_config
 122
 123         mypnn=$(ctdb pnn | cut -d: -f2)
 124
 125         natgw_set_capability
 126         natgw_ensure_master "$1"
 127
 128         natgw_clear
 129
 130         if [ "$mypnn" = "$natgwmaster" ]; then
 131             natgw_set_master
 132         else
 133             natgw_set_slave "$natgwip"
 134         fi
 135
 136         # flush our route cache
 137         set_proc sys/net/ipv4/route/flush 1
 138         ;;
 139
 140     shutdown|removenatgw)
 141         natgw_check_config
 142         natgw_clear
 143         ;;
 144
 145     monitor)
 146         natgw_check_config
 147         natgw_set_capability
 148         natgw_ensure_master "$1"
 149         ;;
 150
 151     *)
 152         ctdb_standard_event_handler "@"
 153         ;;
 154 esac
 155
 156 exit 0