#
. $CTDB_BASE/functions
-loadconfig ctdb
+loadconfig
-[ -z "$CTDB_NATGW_PUBLIC_IFACE" ] && exit 0
-
-cmd="$1"
-shift
-PATH=/usr/bin:/bin:/usr/sbin:/sbin:$PATH
+[ -z "$CTDB_NATGW_NODES" ] && exit 0
+# Update capabilities to show whether we support teh NATGW capability or not
+if [ "$CTDB_NATGW_SLAVE_ONLY" = "yes" ] ; then
+ ctdb setnatgwstate off
+else
+ ctdb setnatgwstate on
+fi
delete_all() {
- remove_ip $CTDB_NATGW_PUBLIC_IP $CTDB_NATGW_PUBLIC_IFACE
- remove_ip $CTDB_NATGW_PUBLIC_IP_HOST lo
+ local _ip=`echo $CTDB_NATGW_PUBLIC_IP | cut -d '/' -f1`
+ local _maskbits=`echo $CTDB_NATGW_PUBLIC_IP | cut -d '/' -f2`
+
+ [ -z "$CTDB_NATGW_PUBLIC_IFACE" ] || {
+ delete_ip_from_iface $CTDB_NATGW_PUBLIC_IFACE $_ip $_maskbits 2>/dev/null
+ }
+ delete_ip_from_iface lo $_ip 32
ip route del 0.0.0.0/0 metric 10 >/dev/null 2>/dev/null
# were the NAT-GW
iptables -D POSTROUTING -t nat -s $CTDB_NATGW_PRIVATE_NETWORK -d ! $CTDB_NATGW_PRIVATE_NETWORK -j MASQUERADE >/dev/null 2>/dev/null
+ # remove any iptables rule we may have on this address
+ iptables -D INPUT -p tcp --syn -d $_ip/32 -j REJECT 2>/dev/null
}
-case $cmd in
- startup)
+case "$1" in
+ startup)
+ [ -z "$CTDB_PUBLIC_ADDRESSES" ] && {
+ CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
+ }
+ egrep "^$CTDB_NATGW_PUBLIC_IP[ \t]" $CTDB_PUBLIC_ADDRESSES >/dev/null
+ [ "$?" = "0" ] && {
+ echo ERROR: NATGW configured to use a public address. NATGW must not use a public address.
+ exit 1
+ }
+
# do not respond to ARPs that are for ip addresses with scope 'host'
echo 3 > /proc/sys/net/ipv4/conf/all/arp_ignore
# do not send out arp requests from loopback addresses
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
- # update capabilities to show we are using natgw
- ctdb setnatgwstate on
;;
- recovered)
+ recovered|updatenatgw|ipreallocated)
MYPNN=`ctdb pnn | cut -d: -f2`
NATGWMASTER=`ctdb natgwlist | head -1 | sed -e "s/ .*//"`
NATGWIP=`ctdb natgwlist | head -1 | sed -e "s/^[^ ]* *//"`
CTDB_NATGW_PUBLIC_IP_HOST=`echo $CTDB_NATGW_PUBLIC_IP | sed -e "s/\/.*/\/32/"`
- if [ "$NATGWMASTER" == "-1" ]; then
- echo "There is not NATGW master node"
+
+ # block all incoming connections to the natgw address
+ iptables -D INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
+ iptables -I INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
+
+
+ if [ "$NATGWMASTER" = "-1" ]; then
+ echo "There is no NATGW master node"
exit 1
fi
# This is the first node, set it up as the NAT GW
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -t nat -s $CTDB_NATGW_PRIVATE_NETWORK -d ! $CTDB_NATGW_PRIVATE_NETWORK -j MASQUERADE
+
+ # block all incoming connections to the natgw address
+ CTDB_NATGW_PUBLIC_IP_HOST=`echo $CTDB_NATGW_PUBLIC_IP | sed -e "s/\/.*/\/32/"`
+ iptables -D INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
+ iptables -I INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
+
ip addr add $CTDB_NATGW_PUBLIC_IP dev $CTDB_NATGW_PUBLIC_IFACE
ip route add 0.0.0.0/0 via $CTDB_NATGW_DEFAULT_GATEWAY >/dev/null 2>/dev/null
else
# We do this so that the ip address will exist on a
# non-loopback interface so that samba may send it along in the
# KDC requests.
- ip addr add $CTDB_NATGW_PUBLIC_IP_HOST dev lo scope host
ip route add 0.0.0.0/0 via $NATGWIP metric 10
+ # Make sure winbindd does not stay bound to this address
+ # if we are no longer natgwmaster
+ smbcontrol winbindd ip-dropped $CTDB_NATGW_PUBLIC_IP >/dev/null 2>/dev/null
fi
# flush our route cache
echo 1 > /proc/sys/net/ipv4/route/flush
;;
- shutdown)
+ shutdown|stopped|removenatgw)
delete_all
;;
+ *)
+ ctdb_standard_event_handler "@"
+ ;;
esac
exit 0