# CTDB_CAPABILITY_RECMASTER=yes
# CTDB_CAPABILITY_LMASTER=yes
+# NAT-GW configuration
+# Some services running on nthe CTDB node may need to originate traffic to
+# remote servers before the node is assigned any IP addresses,
+# This is problematic since before the node has public addresses the node might
+# not be able to route traffic to the public networks.
+# One solution is to have static public addresses assigned with routing
+# in addition to the public address interfaces, thus guaranteeing that
+# a node always can route traffic to the external network.
+# This is the most simple solution but it uses up a large number of
+# additional ip addresses.
+#
+# A more complex solution is NAT-GW.
+# In this mode we only need one additional ip address for the cluster from
+# the exsternal public network.
+# One of the nodes in the cluster is elected to be hosting this ip address
+# so it can reach the external services. This node is also configured
+# to use NAT MASQUERADING for all traffic from the internal private network
+# to the external network. This node is the NAT-GW node.
+#
+# All other nodes are set up with policy routing so that all traffic with
+# a source address of the private network and a destination outside of
+# the private network are instead routed through the NAT-GW node.
+#
+# The effect of this is that only when a node does not have a public address
+# or a route to the external network will the node use the private address
+# as the source address and only then will it use the policy routing
+# through the NAT-GW.
+# As long as a node has a public address and can route to the external network
+# the node will always pick the public address as the source address and NAT-GW
+# routing will not be used.
+#NATGW_PUBLIC_IP=10.0.0.227/24
+#NATGW_PUBLIC_IFACE=eth0
+#NATGW_DEFAULT_GATEWAY=10.0.0.1
+#NATGW_PRIVATE_IFACE=eth0
+#NATGW_PRIVATE_NETWORK=10.0.0.0/24
+
+
# where to log messages
# the default is /var/log/log.ctdb
# CTDB_LOGFILE=/var/log/log.ctdb
--- /dev/null
+#!/bin/sh
+# Script to set up one of the nodes as a NAT gateway for all other nodes.
+# This is used to ensure that all nodes in the cluster can still originate
+# traffic to the external network even if there are no public addresses
+# available.
+#
+
+. $CTDB_BASE/functions
+loadconfig ctdb
+
+[ -z "$NATGW_PUBLIC_INTERFACE" ] && exit 0
+
+cmd="$1"
+shift
+PATH=/usr/bin:/bin:/usr/sbin:/sbin:$PATH
+
+case $cmd in
+ recovered)
+ MYPNN=`ctdb pnn | cut -d: -f2`
+
+ # Find the first connected node
+ FIRST=`ctdb status -Y | grep ":0:$" | head -1`
+ FIRSTNODE=`echo $FIRST | cut -d: -f2`
+ FIRSTIP=`echo $FIRST | cut -d: -f3`
+
+ # Delete everything that might have been set in a previous iteration
+ # when we were not the NAT-GW
+ ip rule del fwmark 11 table 11 >/dev/null 2>/dev/null
+ iptables -D OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MARK --set-mark 11 >/dev/null 2>/dev/null
+ iptables -D OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -p tcp --sport 22 -j ACCEPT >/dev/null 2>/dev/null
+ ip route del $NATGW_PRIVATE_NETWORK dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null
+ ip route del 0.0.0.0/0 dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null
+
+ # Delete the masquerading setup from a previous iteration where we
+ # was the NAT-GW
+ iptables -D POSTROUTING -t nat -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MASQUERADE >/dev/null 2>/dev/null
+ ip addr del $NATGW_PUBLIC_IP dev $NATGW_PUBLIC_IFACE >/dev/null 2>/dev/null
+
+ if [ "$FIRSTNODE" == "$MYPNN" ]; then
+ # This is the first node, set it up as the NAT GW
+ echo 1 >/proc/sys/net/ipv4/ip_forward
+ iptables -A POSTROUTING -t nat -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MASQUERADE
+ ip addr add $NATGW_PUBLIC_IP dev $NATGW_PUBLIC_IFACE
+ ip route add 0.0.0.0/0 via $NATGW_DEFAULT_GATEWAY >/dev/null 2>/dev/null
+ else
+ # This is not the NAT-GW
+ # We now need to set up a separate routing table for
+ # all traffic we originate and with a destination that is
+ # outside of the local private network and route these
+ # packets via the NAT-GW
+
+
+ # Mark all outgoing packets that have the private address
+ # as source address with fwmarker 11
+ # We expect that the only time the the source address will be
+ # selected as the private address would be when there are
+ # no static or public addresses assigned at all to the node.
+ # Othervise the routing would have picked a different address.
+ #
+ # Except for traffic to the ssh daemon, so that it is easier
+ # to test in the lab without disrupting the ssh sessions
+ iptables -A OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -p tcp --sport 22 -j ACCEPT
+ iptables -A OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MARK --set-mark 11
+
+
+ # create a routing table for the natgw traffic and set it
+ # up with both an interface toute for the private network
+ # as well as a default route that goes via the NAT-GW
+ ip route add $NATGW_PRIVATE_NETWORK dev $NATGW_PRIVATE_IFACE table 11
+ ip route add 0.0.0.0/0 via $FIRSTIP dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null
+
+ # Create a rule to use routing table 11 for these packets
+ ip rule add fwmark 11 table 11
+ fi
+ ;;
+
+esac
+
+exit 0
git.samba.org / sahlberg / ctdb.git / commitdiff