CVE-2016-0771: tests/dns: Remove dependencies on env variables

[Samba.git] / ctdb / config / events.d / 10.interface

#!/bin/sh

#################################
# interface event script for ctdb
# this adds/removes IPs from your 
# public interface

[ -n "$CTDB_BASE" ] || \
    export CTDB_BASE=$(cd -P $(dirname "$0") ; dirname "$PWD")

. $CTDB_BASE/functions
loadconfig

[ -z "$CTDB_PUBLIC_ADDRESSES" ] && {
        CTDB_PUBLIC_ADDRESSES=$CTDB_BASE/public_addresses
}

[ ! -f "$CTDB_PUBLIC_ADDRESSES" ] && {
        if [ "$1" = "init" ]; then
                echo "No public addresses file found. Nothing to do for 10.interfaces"
        fi
        exit 0
}

# This sets $all_interfaces as a side-effect.
get_all_interfaces ()
{
    # Get all the interfaces listed in the public_addresses file
    all_interfaces=$(sed -e "s/^[^\t ]*[\t ]*//" -e "s/,/ /g" -e "s/[\t ]*$//" $CTDB_PUBLIC_ADDRESSES)

    # Add some special interfaces if they're defined
    [ "$CTDB_PUBLIC_INTERFACE" ] && all_interfaces="$CTDB_PUBLIC_INTERFACE $all_interfaces"

    # Get the interfaces for which CTDB has public IPs configured.
    # That is, for all but the 1st line, get the 1st field.
    ctdb_ifaces=$(ctdb -X ifaces | sed -e '1d' -e 's@^|@@' -e 's@|.*@@')

    # Add $ctdb_interfaces and uniquify
    all_interfaces=$(echo $all_interfaces $ctdb_ifaces | tr ' ' '\n' | sort -u)
}

monitor_interfaces()
{
        get_all_interfaces

        down_interfaces_found=false
        up_interfaces_found=false

        # Note that this loop must not exit early.  It must process
        # all interfaces so that the correct state for each interface
        # is set in CTDB using setifacelink.
        for _iface in $all_interfaces ; do
                if interface_monitor "$_iface" ; then
                        up_interfaces_found=true
                        ctdb setifacelink "$_iface" up >/dev/null 2>&1
                else
                        down_interfaces_found=true
                        ctdb setifacelink "$_iface" down >/dev/null 2>&1
                fi
        done

        if ! $down_interfaces_found ; then
                return 0
        fi

        if ! $up_interfaces_found ; then
                return 1
        fi

        if [ "$CTDB_PARTIALLY_ONLINE_INTERFACES" != "yes" ]; then
                return 1
        fi

        return 0
}

# Sets: iface, ip, maskbits, family
get_iface_ip_maskbits_family ()
{
    _iface_in="$1"
    ip="$2"
    _maskbits_in="$3"

    set -- $(ip_maskbits_iface "$ip")
    if [ -n "$1" ] ; then
        maskbits="$1"
        iface="$2"
        family="$3"

        if [ "$iface" != "$_iface_in" ] ; then
            printf \
                'WARNING: Public IP %s hosted on interface %s but VNN says %s\n' \
                "$ip" "$iface" "$_iface_in"
        fi
        if [ "$maskbits" != "$_maskbits_in" ] ; then
            printf \
                'WARNING: Public IP %s has %s bit netmask but VNN says %s\n' \
                    "$ip" "$maskbits" "$_maskbits_in"
        fi
    else
        die "ERROR: Unable to determine interface for IP ${ip}"
    fi
}

ctdb_check_args "$@"

case "$1" in
    init)
        # make sure that we only respond to ARP messages from the NIC where
        # a particular ip address is associated.
        get_proc sys/net/ipv4/conf/all/arp_filter >/dev/null 2>&1 && {
            set_proc sys/net/ipv4/conf/all/arp_filter 1
        }

        _promote="sys/net/ipv4/conf/all/promote_secondaries"
        get_proc "$_promote" >/dev/null 2>&1 || \
            die "Public IPs only supported if promote_secondaries is available"

        # make sure we drop any ips that might still be held if
        # previous instance of ctdb got killed with -9 or similar
        drop_all_public_ips
        ;;

    startup)
        monitor_interfaces
        ;;

    takeip)
        iface=$2
        ip=$3
        maskbits=$4

        add_ip_to_iface $iface $ip $maskbits || {
                exit 1;
        }

        # cope with the script being killed while we have the interface blocked
        case "$ip" in
            *:*) family="inet6" ;;
            *)   family="inet"  ;;
        esac
        iptables_wrapper $family -D INPUT -i $iface -d $ip -j DROP 2> /dev/null

        flush_route_cache
        ;;

    releaseip)
        # releasing an IP is a bit more complex than it seems. Once the IP
        # is released, any open tcp connections to that IP on this host will end
        # up being stuck. Some of them (such as NFS connections) will be unkillable
        # so we need to use the killtcp ctdb function to kill them off. We also
        # need to make sure that no new connections get established while we are 
        # doing this! So what we do is this:
        # 1) firewall this IP, so no new external packets arrive for it
        # 2) use netstat -tn to find existing connections, and kill them 
        # 3) remove the IP from the interface
        # 4) remove the firewall rule
        shift
        get_iface_ip_maskbits_family "$@"

        # we do an extra delete to cope with the script being killed
        iptables_wrapper $family -D INPUT -i $iface -d $ip -j DROP 2> /dev/null
        iptables_wrapper $family -I INPUT -i $iface -d $ip -j DROP
        kill_tcp_connections $ip

        delete_ip_from_iface $iface $ip $maskbits || {
            iptables_wrapper $family \
                             -D INPUT -i $iface -d $ip -j DROP 2> /dev/null
                exit 1
        }

        iptables_wrapper $family -D INPUT -i $iface -d $ip -j DROP 2> /dev/null

        flush_route_cache
        ;;

    updateip)
        # moving an IP is a bit more complex than it seems.
        # First we drop all traffic on the old interface.
        # Then we try to add the ip to the new interface and before
        # we finally remove it from the old interface.
        #
        # 1) firewall this IP, so no new external packets arrive for it
        # 2) remove the IP from the old interface (and new interface, to be sure)
        # 3) add the IP to the new interface
        # 4) remove the firewall rule
        # 5) use ctdb gratiousarp to propagate the new mac address
        # 6) use netstat -tn to find existing connections, and tickle them
        _oiface=$2
        niface=$3
        _ip=$4
        _maskbits=$5

        get_iface_ip_maskbits_family "$_oiface" "$_ip" "$_maskbits"
        oiface="$iface"

        # we do an extra delete to cope with the script being killed
        iptables_wrapper $family -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null
        iptables_wrapper $family -I INPUT -i $oiface -d $ip -j DROP

        delete_ip_from_iface $oiface $ip $maskbits 2>/dev/null
        delete_ip_from_iface $niface $ip $maskbits 2>/dev/null

        add_ip_to_iface $niface $ip $maskbits || {
            iptables_wrapper $family \
                             -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null
            exit 1
        }

        # cope with the script being killed while we have the interface blocked
        iptables_wrapper $family -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null

        flush_route_cache

        # propagate the new mac address
        ctdb gratiousarp $ip $niface

        # tickle all existing connections, so that dropped packets
        # are retransmited and the tcp streams work
        tickle_tcp_connections $ip
        ;;

    monitor)
        monitor_interfaces || exit 1
        ;;
    *)
        ctdb_standard_event_handler "$@"
        ;;
esac

exit 0