Add iptables rules for ns_IPaddr2
Add new parameters for ns_IPaddr2 resource: - iptables_start_rules - rules we want to add on VIP start - iptables_stop_rules - rules we want to remove on VIP stop - iptables_comment - comment to associate with new rules Use this new parameters in order to fix outgoing IP (src ip) in packets routed via default route from "haproxy" namespace. Change-Id: I4c58612ea3bd3401000939b098d90d14a85acad1 Closes-bug: #1321466
This commit is contained in:
parent
e3153d1a4c
commit
57c8f31eb0
|
@ -148,6 +148,30 @@ Can be "", "link" or IP address.
|
|||
<content type="string" default="$OCF_RESKEY_gateway_metric_default"/>
|
||||
</parameter>
|
||||
|
||||
<parameter name="iptables_start_rules">
|
||||
<longdesc lang="en">
|
||||
Iptables rules that should be started along with IP.\n
|
||||
</longdesc>
|
||||
<shortdesc lang="en">Iptables rules associated with IP start.</shortdesc>
|
||||
<content type="string" default=""/>
|
||||
</parameter>
|
||||
|
||||
<parameter name="iptables_stop_rules">
|
||||
<longdesc lang="en">
|
||||
Iptables rules that should be stopped along with IP.\n
|
||||
</longdesc>
|
||||
<shortdesc lang="en">Iptables rules associated with IP stop.</shortdesc>
|
||||
<content type="string" default=""/>
|
||||
</parameter>
|
||||
|
||||
<parameter name="iptables_comment">
|
||||
<longdesc lang="en">
|
||||
Iptables comment to associate with rules.\n
|
||||
</longdesc>
|
||||
<shortdesc lang="en">Iptables comment to associate with rules.</shortdesc>
|
||||
<content type="string" default="default-comment"/>
|
||||
</parameter>
|
||||
|
||||
</parameters>
|
||||
<actions>
|
||||
<action name="start" timeout="20s" />
|
||||
|
@ -355,6 +379,38 @@ ip_prepare() {
|
|||
return $OCF_SUCCESS
|
||||
}
|
||||
|
||||
iptables_start() {
|
||||
local rc
|
||||
local iptables_rules
|
||||
local rule
|
||||
rc=$OCF_SUCCESS
|
||||
# setup iptables rules if given
|
||||
if [[ ! -z $OCF_RESKEY_iptables_start_rules ]] ; then
|
||||
IFS=';' read -a iptables_rules <<< "$OCF_RESKEY_iptables_start_rules"
|
||||
for rule in "${iptables_rules[@]}"
|
||||
do
|
||||
ocf_run $rule -m comment --comment "$OCF_RESKEY_iptables_comment"
|
||||
done
|
||||
fi
|
||||
return $rc
|
||||
}
|
||||
|
||||
iptables_stop() {
|
||||
local rc
|
||||
local iptables_rules
|
||||
local rule
|
||||
rc=$OCF_SUCCESS
|
||||
# remove iptables rules if given
|
||||
if [[ ! -z $OCF_RESKEY_iptables_stop_rules ]] ; then
|
||||
IFS=';' read -a iptables_rules <<< "$OCF_RESKEY_iptables_stop_rules"
|
||||
for rule in "${iptables_rules[@]}"
|
||||
do
|
||||
ocf_run $rule -m comment --comment "$OCF_RESKEY_iptables_comment"
|
||||
done
|
||||
fi
|
||||
return $rc
|
||||
}
|
||||
|
||||
ip_start() {
|
||||
ip_prepare
|
||||
rc=$?
|
||||
|
@ -362,6 +418,8 @@ ip_start() {
|
|||
# cleanun ns
|
||||
ip_stop
|
||||
rc=$OCF_ERR_GENERIC
|
||||
else
|
||||
iptables_start
|
||||
fi
|
||||
return $rc
|
||||
}
|
||||
|
@ -394,6 +452,7 @@ ip_stop() {
|
|||
|
||||
if [[ $rc == 0 ]] ; then
|
||||
rc=$OCF_SUCCESS # it means stop was success
|
||||
iptables_stop
|
||||
else
|
||||
rc=$OCF_ERR_GENERIC
|
||||
fi
|
||||
|
|
|
@ -33,15 +33,18 @@ define cluster::virtual_ip (
|
|||
provided_by => 'mirantis',
|
||||
primitive_type => 'ns_IPaddr2',
|
||||
parameters => {
|
||||
'nic' => $vip[nic],
|
||||
'base_veth' => $vip[base_veth],
|
||||
'ns_veth' => $vip[ns_veth],
|
||||
'ip' => $vip[ip],
|
||||
'iflabel' => $vip[iflabel] ? { undef => 'ka', default => $vip[iflabel] },
|
||||
'cidr_netmask' => $vip[cidr_netmask] ? { undef => '24', default => $vip[cidr_netmask] },
|
||||
'ns' => $vip[namespace] ? { undef => 'haproxy', default => $vip[namespace] },
|
||||
'gateway' => $vip[gateway] ? { undef => '', default => $vip[gateway] },
|
||||
'gateway_metric' => $vip[gateway_metric] ? { undef => '0', default => $vip[gateway_metric] },
|
||||
'nic' => $vip[nic],
|
||||
'base_veth' => $vip[base_veth],
|
||||
'ns_veth' => $vip[ns_veth],
|
||||
'ip' => $vip[ip],
|
||||
'iflabel' => $vip[iflabel] ? { undef => 'ka', default => $vip[iflabel] },
|
||||
'cidr_netmask' => $vip[cidr_netmask] ? { undef => '24', default => $vip[cidr_netmask] },
|
||||
'ns' => $vip[namespace] ? { undef => 'haproxy', default => $vip[namespace] },
|
||||
'gateway' => $vip[gateway] ? { undef => '', default => $vip[gateway] },
|
||||
'gateway_metric' => $vip[gateway_metric] ? { undef => '0', default => $vip[gateway_metric] },
|
||||
'iptables_start_rules' => $vip[iptables_start_rules] ? { undef => '', default => "'${vip[iptables_start_rules]}'" },
|
||||
'iptables_stop_rules' => $vip[iptables_stop_rules] ? { undef => '', default => "'${vip[iptables_stop_rules]}'" },
|
||||
'iptables_comment' => $vip[iptables_comment] ? { undef => 'default-comment', default => "'${vip[iptables_comment]}'" },
|
||||
},
|
||||
metadata => {
|
||||
'resource-stickiness' => '1',
|
||||
|
|
|
@ -93,24 +93,30 @@ class osnailyfacter::cluster_ha {
|
|||
|
||||
$vips = { # Do not convert to ARRAY, It can't work in 2.7
|
||||
public_old => {
|
||||
namespace => 'haproxy',
|
||||
nic => $::public_int,
|
||||
base_veth => "${::public_int}-hapr",
|
||||
ns_veth => "hapr-p",
|
||||
ip => $::fuel_settings['public_vip'],
|
||||
cidr_netmask => netmask_to_cidr($::fuel_settings['nodes'][0]['public_netmask']),
|
||||
gateway => 'link',
|
||||
gateway_metric => '10',
|
||||
namespace => 'haproxy',
|
||||
nic => $::public_int,
|
||||
base_veth => "${::public_int}-hapr",
|
||||
ns_veth => "hapr-p",
|
||||
ip => $::fuel_settings['public_vip'],
|
||||
cidr_netmask => netmask_to_cidr($::fuel_settings['nodes'][0]['public_netmask']),
|
||||
gateway => 'link',
|
||||
gateway_metric => '10',
|
||||
iptables_start_rules => "iptables -t mangle -I PREROUTING -i ${::public_int}-hapr -j MARK --set-mark 0x2a ; iptables -t nat -I POSTROUTING -m mark --mark 0x2a ! -o ${::public_int} -j MASQUERADE",
|
||||
iptables_stop_rules => "iptables -t mangle -D PREROUTING -i ${::public_int}-hapr -j MARK --set-mark 0x2a ; iptables -t nat -D POSTROUTING -m mark --mark 0x2a ! -o ${::public_int} -j MASQUERADE",
|
||||
iptables_comment => "masquerade-for-public-net",
|
||||
},
|
||||
management_old => {
|
||||
namespace => 'haproxy',
|
||||
nic => $::internal_int,
|
||||
base_veth => "${::internal_int}-hapr",
|
||||
ns_veth => "hapr-m",
|
||||
ip => $::fuel_settings['management_vip'],
|
||||
cidr_netmask => netmask_to_cidr($::fuel_settings['nodes'][0]['internal_netmask']),
|
||||
gateway => 'link',
|
||||
gateway_metric => '20',
|
||||
namespace => 'haproxy',
|
||||
nic => $::internal_int,
|
||||
base_veth => "${::internal_int}-hapr",
|
||||
ns_veth => "hapr-m",
|
||||
ip => $::fuel_settings['management_vip'],
|
||||
cidr_netmask => netmask_to_cidr($::fuel_settings['nodes'][0]['internal_netmask']),
|
||||
gateway => 'link',
|
||||
gateway_metric => '20',
|
||||
iptables_start_rules => "iptables -t mangle -I PREROUTING -i ${::internal_int}-hapr -j MARK --set-mark 0x2b ; iptables -t nat -I POSTROUTING -m mark --mark 0x2b ! -o ${::internal_int} -j MASQUERADE",
|
||||
iptables_stop_rules => "iptables -t mangle -D PREROUTING -i ${::internal_int}-hapr -j MARK --set-mark 0x2b ; iptables -t nat -D POSTROUTING -m mark --mark 0x2b ! -o ${::internal_int} -j MASQUERADE",
|
||||
iptables_comment => "masquerade-for-management-net",
|
||||
},
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue