From: root Date: Wed, 18 Mar 2009 08:19:49 +0000 (+1100) Subject: redo how the natgw is done. just use a default route with a high metric instead of... X-Git-Tag: ctdb-1.0.76~17 X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=f03bd2b3d906dac9fb876dca54535d22e9cf1b9e;p=sahlberg%2Fctdb.git redo how the natgw is done. just use a default route with a high metric instead of fancy policyrouting --- diff --git a/config/ctdb.sysconfig b/config/ctdb.sysconfig index 03b91b60..abb9ea77 100644 --- a/config/ctdb.sysconfig +++ b/config/ctdb.sysconfig @@ -147,23 +147,18 @@ # to use NAT MASQUERADING for all traffic from the internal private network # to the external network. This node is the NAT-GW node. # -# All other nodes are set up with policy routing so that all traffic with -# a source address of the private network and a destination outside of -# the private network are instead routed through the NAT-GW node. +# All other nodes are set up with a default rote with a metric of 10 to point +# to the nat-gw node. # # The effect of this is that only when a node does not have a public address -# or a route to the external network will the node use the private address -# as the source address and only then will it use the policy routing -# through the NAT-GW. -# As long as a node has a public address and can route to the external network -# the node will always pick the public address as the source address and NAT-GW -# routing will not be used. -#NATGW_PUBLIC_IP=10.0.0.227/24 -#NATGW_PUBLIC_IFACE=eth0 -#NATGW_DEFAULT_GATEWAY=10.0.0.1 -#NATGW_PRIVATE_IFACE=eth1 -#NATGW_PRIVATE_NETWORK=10.1.1.0/24 - +# and thus no proper routes to the external world it will instead +# route all packets through the nat-gw node. +# +# NATGW_PUBLIC_IP=10.0.0.227/24 +# NATGW_PUBLIC_IFACE=eth0 +# NATGW_DEFAULT_GATEWAY=10.0.0.1 +# NATGW_PRIVATE_IFACE=eth1 +# NATGW_PRIVATE_NETWORK=10.1.1.0/24 # where to log messages # the default is /var/log/log.ctdb diff --git a/config/events.d/11.natgw b/config/events.d/11.natgw index 23fe4ae3..3f2c2c29 100644 --- a/config/events.d/11.natgw +++ b/config/events.d/11.natgw @@ -8,12 +8,24 @@ . $CTDB_BASE/functions loadconfig ctdb -[ -z "$NATGW_PUBLIC_INTERFACE" ] && exit 0 +[ -z "$NATGW_PUBLIC_IFACE" ] && exit 0 cmd="$1" shift PATH=/usr/bin:/bin:/usr/sbin:/sbin:$PATH +delete_all() { + ip addr add $NATGW_PUBLIC_IP dev $NATGW_PUBLIC_IFACE >/dev/null 2>/dev/null + ip addr del $NATGW_PUBLIC_IP_HOST dev $NATGW_PRIVATE_IFACE >/dev/null 2>/dev/null + ip route del 0.0.0.0/0 metric 10 >/dev/null 2>/dev/null + + # Delete the masquerading setup from a previous iteration where we + # were the NAT-GW + iptables -D POSTROUTING -t nat -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MASQUERADE >/dev/null 2>/dev/null + + ip addr del $NATGW_PUBLIC_IP dev $NATGW_PUBLIC_IFACE >/dev/null 2>/dev/null +} + case $cmd in recovered) MYPNN=`ctdb pnn | cut -d: -f2` @@ -22,19 +34,9 @@ case $cmd in FIRST=`ctdb status -Y | grep ":0:$" | head -1` FIRSTNODE=`echo $FIRST | cut -d: -f2` FIRSTIP=`echo $FIRST | cut -d: -f3` + NATGW_PUBLIC_IP_HOST=`echo $NATGW_PUBLIC_IP | sed -e "s/\/.*/\/32/"` - # Delete everything that might have been set in a previous iteration - # when we were not the NAT-GW - ip rule del fwmark 11 table 11 >/dev/null 2>/dev/null - iptables -D OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MARK --set-mark 11 >/dev/null 2>/dev/null - iptables -D OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -p tcp --sport 22 -j ACCEPT >/dev/null 2>/dev/null - ip route del $NATGW_PRIVATE_NETWORK dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null - ip route del 0.0.0.0/0 dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null - - # Delete the masquerading setup from a previous iteration where we - # was the NAT-GW - iptables -D POSTROUTING -t nat -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MASQUERADE >/dev/null 2>/dev/null - ip addr del $NATGW_PUBLIC_IP dev $NATGW_PUBLIC_IFACE >/dev/null 2>/dev/null + delete_all if [ "$FIRSTNODE" == "$MYPNN" ]; then # This is the first node, set it up as the NAT GW @@ -44,36 +46,20 @@ case $cmd in ip route add 0.0.0.0/0 via $NATGW_DEFAULT_GATEWAY >/dev/null 2>/dev/null else # This is not the NAT-GW - # We now need to set up a separate routing table for - # all traffic we originate and with a destination that is - # outside of the local private network and route these - # packets via the NAT-GW - - - # Mark all outgoing packets that have the private address - # as source address with fwmarker 11 - # We expect that the only time the the source address will be - # selected as the private address would be when there are - # no static or public addresses assigned at all to the node. - # Othervise the routing would have picked a different address. - # - # Except for traffic to the ssh daemon, so that it is easier - # to test in the lab without disrupting the ssh sessions - iptables -A OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -p tcp --sport 22 -j ACCEPT - iptables -A OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MARK --set-mark 11 - - - # create a routing table for the natgw traffic and set it - # up with both an interface toute for the private network - # as well as a default route that goes via the NAT-GW - ip route add $NATGW_PRIVATE_NETWORK dev $NATGW_PRIVATE_IFACE table 11 - ip route add 0.0.0.0/0 via $FIRSTIP dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null - - # Create a rule to use routing table 11 for these packets - ip rule add fwmark 11 table 11 + # Assign the public ip to the private interface and make + # sure we dont respond to ARPs. + # We do this so that the ip address will exist on a + # non-loopback interface so that samba may send it along in the + # KDC requests. + ip addr add $NATGW_PUBLIC_IP_HOST dev $NATGW_PRIVATE_IFACE + ip route add 0.0.0.0/0 via $FIRSTIP metric 10 fi ;; + shutdown) + delete_all + ;; + esac exit 0