Add iptables rules for ns_IPaddr2

Add new parameters for ns_IPaddr2 resource: - iptables_start_rules - rules we want to add on VIP start - iptables_stop_rules - rules we want to remove on VIP stop - iptables_comment - comment to associate with new rules Use this new parameters in order to fix outgoing IP (src ip) in packets routed via default route from "haproxy" namespace. Change-Id: I4c58612ea3bd3401000939b098d90d14a85acad1 Closes-bug: #1321466
2014-05-21 20:16:18 +03:00 · 2014-05-21 20:16:18 +03:00 · 57c8f31eb0
parent e3153d1a4c
commit 57c8f31eb0
3 changed files with 93 additions and 25 deletions
--- a/deployment/puppet/cluster/files/ns_IPaddr2
+++ b/deployment/puppet/cluster/files/ns_IPaddr2
@ -148,6 +148,30 @@ Can be "", "link" or IP address.
 <content type="string" default="$OCF_RESKEY_gateway_metric_default"/>
 </parameter>

+<parameter name="iptables_start_rules">
+<longdesc lang="en">
+Iptables rules that should be started along with IP.\n
+</longdesc>
+<shortdesc lang="en">Iptables rules associated with IP start.</shortdesc>
+<content type="string" default=""/>
+</parameter>
+
+<parameter name="iptables_stop_rules">
+<longdesc lang="en">
+Iptables rules that should be stopped along with IP.\n
+</longdesc>
+<shortdesc lang="en">Iptables rules associated with IP stop.</shortdesc>
+<content type="string" default=""/>
+</parameter>
+
+<parameter name="iptables_comment">
+<longdesc lang="en">
+Iptables comment to associate with rules.\n
+</longdesc>
+<shortdesc lang="en">Iptables comment to associate with rules.</shortdesc>
+<content type="string" default="default-comment"/>
+</parameter>
+
 </parameters>
 <actions>
 <action name="start"   timeout="20s" />
@ -355,6 +379,38 @@ ip_prepare() {
  return $OCF_SUCCESS
 }

+iptables_start() {
+  local rc
+  local iptables_rules
+  local rule
+  rc=$OCF_SUCCESS
+  # setup iptables rules if given
+  if [[ ! -z $OCF_RESKEY_iptables_start_rules ]] ; then
+    IFS=';' read -a iptables_rules <<< "$OCF_RESKEY_iptables_start_rules"
+    for rule in "${iptables_rules[@]}"
+    do
+      ocf_run $rule -m comment --comment "$OCF_RESKEY_iptables_comment"
+    done
+  fi
+  return $rc
+}
+
+iptables_stop() {
+  local rc
+  local iptables_rules
+  local rule
+  rc=$OCF_SUCCESS
+  # remove iptables rules if given
+  if [[ ! -z $OCF_RESKEY_iptables_stop_rules ]] ; then
+    IFS=';' read -a iptables_rules <<< "$OCF_RESKEY_iptables_stop_rules"
+    for rule in "${iptables_rules[@]}"
+    do
+      ocf_run $rule -m comment --comment "$OCF_RESKEY_iptables_comment"
+    done
+  fi
+  return $rc
+}
+
 ip_start() {
  ip_prepare
  rc=$?
@ -362,6 +418,8 @@ ip_start() {
    # cleanun ns
    ip_stop
    rc=$OCF_ERR_GENERIC
+  else
+    iptables_start
  fi
  return $rc
 }
@ -394,6 +452,7 @@ ip_stop() {

  if [[ $rc == 0 ]] ; then
    rc=$OCF_SUCCESS  # it means stop was success
+    iptables_stop
  else
    rc=$OCF_ERR_GENERIC
  fi
--- a/deployment/puppet/cluster/manifests/virtual_ip.pp
+++ b/deployment/puppet/cluster/manifests/virtual_ip.pp
@ -33,15 +33,18 @@ define cluster::virtual_ip (
    provided_by     => 'mirantis',
    primitive_type  => 'ns_IPaddr2',
    parameters => {
-      'nic'            => $vip[nic],
-      'base_veth'      => $vip[base_veth],
-      'ns_veth'        => $vip[ns_veth],
-      'ip'             => $vip[ip],
-      'iflabel'        => $vip[iflabel] ? { undef => 'ka', default => $vip[iflabel] },
-      'cidr_netmask'   => $vip[cidr_netmask] ? { undef => '24', default => $vip[cidr_netmask] },
-      'ns'             => $vip[namespace] ? { undef => 'haproxy', default => $vip[namespace] },
-      'gateway'        => $vip[gateway] ? { undef => '', default => $vip[gateway] },
-      'gateway_metric' => $vip[gateway_metric] ? { undef => '0', default => $vip[gateway_metric] },
+      'nic'                  => $vip[nic],
+      'base_veth'            => $vip[base_veth],
+      'ns_veth'              => $vip[ns_veth],
+      'ip'                   => $vip[ip],
+      'iflabel'              => $vip[iflabel] ? { undef => 'ka', default => $vip[iflabel] },
+      'cidr_netmask'         => $vip[cidr_netmask] ? { undef => '24', default => $vip[cidr_netmask] },
+      'ns'                   => $vip[namespace] ? { undef => 'haproxy', default => $vip[namespace] },
+      'gateway'              => $vip[gateway] ? { undef => '', default => $vip[gateway] },
+      'gateway_metric'       => $vip[gateway_metric] ? { undef => '0', default => $vip[gateway_metric] },
+      'iptables_start_rules' => $vip[iptables_start_rules] ? { undef => '', default => "'${vip[iptables_start_rules]}'" },
+      'iptables_stop_rules'  => $vip[iptables_stop_rules] ? { undef => '', default => "'${vip[iptables_stop_rules]}'" },
+      'iptables_comment'     => $vip[iptables_comment] ? { undef => 'default-comment', default => "'${vip[iptables_comment]}'" },
    },
    metadata => {
      'resource-stickiness' => '1',
--- a/deployment/puppet/osnailyfacter/manifests/cluster_ha.pp
+++ b/deployment/puppet/osnailyfacter/manifests/cluster_ha.pp
@ -93,24 +93,30 @@ class osnailyfacter::cluster_ha {

  $vips = { # Do not convert to ARRAY, It can't work in 2.7
    public_old => {
-      namespace      => 'haproxy',
-      nic            => $::public_int,
-      base_veth      => "${::public_int}-hapr",
-      ns_veth        => "hapr-p",
-      ip             => $::fuel_settings['public_vip'],
-      cidr_netmask   => netmask_to_cidr($::fuel_settings['nodes'][0]['public_netmask']),
-      gateway        => 'link',
-      gateway_metric => '10',
+      namespace            => 'haproxy',
+      nic                  => $::public_int,
+      base_veth            => "${::public_int}-hapr",
+      ns_veth              => "hapr-p",
+      ip                   => $::fuel_settings['public_vip'],
+      cidr_netmask         => netmask_to_cidr($::fuel_settings['nodes'][0]['public_netmask']),
+      gateway              => 'link',
+      gateway_metric       => '10',
+      iptables_start_rules => "iptables -t mangle -I PREROUTING -i ${::public_int}-hapr -j MARK --set-mark 0x2a ; iptables -t nat -I POSTROUTING -m mark --mark 0x2a ! -o ${::public_int} -j MASQUERADE",
+      iptables_stop_rules  => "iptables -t mangle -D PREROUTING -i ${::public_int}-hapr -j MARK --set-mark 0x2a ; iptables -t nat -D POSTROUTING -m mark --mark 0x2a ! -o ${::public_int} -j MASQUERADE",
+      iptables_comment     => "masquerade-for-public-net",
    },
    management_old   => {
-      namespace      => 'haproxy',
-      nic            => $::internal_int,
-      base_veth      => "${::internal_int}-hapr",
-      ns_veth        => "hapr-m",
-      ip             => $::fuel_settings['management_vip'],
-      cidr_netmask   => netmask_to_cidr($::fuel_settings['nodes'][0]['internal_netmask']),
-      gateway        => 'link',
-      gateway_metric => '20',
+      namespace            => 'haproxy',
+      nic                  => $::internal_int,
+      base_veth            => "${::internal_int}-hapr",
+      ns_veth              => "hapr-m",
+      ip                   => $::fuel_settings['management_vip'],
+      cidr_netmask         => netmask_to_cidr($::fuel_settings['nodes'][0]['internal_netmask']),
+      gateway              => 'link',
+      gateway_metric       => '20',
+      iptables_start_rules => "iptables -t mangle -I PREROUTING -i ${::internal_int}-hapr -j MARK --set-mark 0x2b ; iptables -t nat -I POSTROUTING -m mark --mark 0x2b ! -o ${::internal_int} -j MASQUERADE",
+      iptables_stop_rules  => "iptables -t mangle -D PREROUTING -i ${::internal_int}-hapr -j MARK --set-mark 0x2b ; iptables -t nat -D POSTROUTING -m mark --mark 0x2b ! -o ${::internal_int} -j MASQUERADE",
+      iptables_comment     => "masquerade-for-management-net",
    },
  }