[SCM] CTDB repository - branch master updated -
ctdb-1.0.74-5-g95d8ddb
Ronnie Sahlberg
sahlberg at samba.org
Wed Mar 18 23:18:41 GMT 2009
The branch, master has been updated
via 95d8ddbc2dd0b159e8df003502c3c336668d2c41 (commit)
via f03bd2b3d906dac9fb876dca54535d22e9cf1b9e (commit)
from b6f7cddc68508e52bc65b357b0b77258ae96362a (commit)
http://gitweb.samba.org/?p=sahlberg/ctdb.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 95d8ddbc2dd0b159e8df003502c3c336668d2c41
Author: Ronnie Sahlberg <ronniesahlberg at gmail.com>
Date: Thu Mar 19 10:17:44 2009 +1100
update the natgw eventscript and documentation
commit f03bd2b3d906dac9fb876dca54535d22e9cf1b9e
Author: root <root at rcn1.VSOFS1.COM>
Date: Wed Mar 18 19:19:49 2009 +1100
redo how the natgw is done. just use a default route with a high metric instead of fancy policyrouting
-----------------------------------------------------------------------
Summary of changes:
config/ctdb.sysconfig | 25 ++++++----------
config/events.d/11.natgw | 69 ++++++++++++++++++++--------------------------
doc/ctdbd.1 | 32 +++++++++------------
doc/ctdbd.1.html | 55 ++++++++++++++++--------------------
doc/ctdbd.1.xml | 37 ++++++++++--------------
5 files changed, 95 insertions(+), 123 deletions(-)
Changeset truncated at 500 lines:
diff --git a/config/ctdb.sysconfig b/config/ctdb.sysconfig
index 03b91b6..abb9ea7 100644
--- a/config/ctdb.sysconfig
+++ b/config/ctdb.sysconfig
@@ -147,23 +147,18 @@
# to use NAT MASQUERADING for all traffic from the internal private network
# to the external network. This node is the NAT-GW node.
#
-# All other nodes are set up with policy routing so that all traffic with
-# a source address of the private network and a destination outside of
-# the private network are instead routed through the NAT-GW node.
+# All other nodes are set up with a default rote with a metric of 10 to point
+# to the nat-gw node.
#
# The effect of this is that only when a node does not have a public address
-# or a route to the external network will the node use the private address
-# as the source address and only then will it use the policy routing
-# through the NAT-GW.
-# As long as a node has a public address and can route to the external network
-# the node will always pick the public address as the source address and NAT-GW
-# routing will not be used.
-#NATGW_PUBLIC_IP=10.0.0.227/24
-#NATGW_PUBLIC_IFACE=eth0
-#NATGW_DEFAULT_GATEWAY=10.0.0.1
-#NATGW_PRIVATE_IFACE=eth1
-#NATGW_PRIVATE_NETWORK=10.1.1.0/24
-
+# and thus no proper routes to the external world it will instead
+# route all packets through the nat-gw node.
+#
+# NATGW_PUBLIC_IP=10.0.0.227/24
+# NATGW_PUBLIC_IFACE=eth0
+# NATGW_DEFAULT_GATEWAY=10.0.0.1
+# NATGW_PRIVATE_IFACE=eth1
+# NATGW_PRIVATE_NETWORK=10.1.1.0/24
# where to log messages
# the default is /var/log/log.ctdb
diff --git a/config/events.d/11.natgw b/config/events.d/11.natgw
index 23fe4ae..254a8c1 100644
--- a/config/events.d/11.natgw
+++ b/config/events.d/11.natgw
@@ -8,12 +8,24 @@
. $CTDB_BASE/functions
loadconfig ctdb
-[ -z "$NATGW_PUBLIC_INTERFACE" ] && exit 0
+[ -z "$NATGW_PUBLIC_IFACE" ] && exit 0
cmd="$1"
shift
PATH=/usr/bin:/bin:/usr/sbin:/sbin:$PATH
+delete_all() {
+ ip addr add $NATGW_PUBLIC_IP dev $NATGW_PUBLIC_IFACE >/dev/null 2>/dev/null
+ ip addr del $NATGW_PUBLIC_IP_HOST dev $NATGW_PRIVATE_IFACE >/dev/null 2>/dev/null
+ ip route del 0.0.0.0/0 metric 10 >/dev/null 2>/dev/null
+
+ # Delete the masquerading setup from a previous iteration where we
+ # were the NAT-GW
+ iptables -D POSTROUTING -t nat -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MASQUERADE >/dev/null 2>/dev/null
+
+ ip addr del $NATGW_PUBLIC_IP dev $NATGW_PUBLIC_IFACE >/dev/null 2>/dev/null
+}
+
case $cmd in
recovered)
MYPNN=`ctdb pnn | cut -d: -f2`
@@ -22,19 +34,9 @@ case $cmd in
FIRST=`ctdb status -Y | grep ":0:$" | head -1`
FIRSTNODE=`echo $FIRST | cut -d: -f2`
FIRSTIP=`echo $FIRST | cut -d: -f3`
+ NATGW_PUBLIC_IP_HOST=`echo $NATGW_PUBLIC_IP | sed -e "s/\/.*/\/32/"`
- # Delete everything that might have been set in a previous iteration
- # when we were not the NAT-GW
- ip rule del fwmark 11 table 11 >/dev/null 2>/dev/null
- iptables -D OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MARK --set-mark 11 >/dev/null 2>/dev/null
- iptables -D OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -p tcp --sport 22 -j ACCEPT >/dev/null 2>/dev/null
- ip route del $NATGW_PRIVATE_NETWORK dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null
- ip route del 0.0.0.0/0 dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null
-
- # Delete the masquerading setup from a previous iteration where we
- # was the NAT-GW
- iptables -D POSTROUTING -t nat -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MASQUERADE >/dev/null 2>/dev/null
- ip addr del $NATGW_PUBLIC_IP dev $NATGW_PUBLIC_IFACE >/dev/null 2>/dev/null
+ delete_all
if [ "$FIRSTNODE" == "$MYPNN" ]; then
# This is the first node, set it up as the NAT GW
@@ -44,36 +46,25 @@ case $cmd in
ip route add 0.0.0.0/0 via $NATGW_DEFAULT_GATEWAY >/dev/null 2>/dev/null
else
# This is not the NAT-GW
- # We now need to set up a separate routing table for
- # all traffic we originate and with a destination that is
- # outside of the local private network and route these
- # packets via the NAT-GW
-
-
- # Mark all outgoing packets that have the private address
- # as source address with fwmarker 11
- # We expect that the only time the the source address will be
- # selected as the private address would be when there are
- # no static or public addresses assigned at all to the node.
- # Othervise the routing would have picked a different address.
- #
- # Except for traffic to the ssh daemon, so that it is easier
- # to test in the lab without disrupting the ssh sessions
- iptables -A OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -p tcp --sport 22 -j ACCEPT
- iptables -A OUTPUT -t mangle -s $NATGW_PRIVATE_NETWORK -d ! $NATGW_PRIVATE_NETWORK -j MARK --set-mark 11
+ # Assign the public ip to the private interface and make
+ # sure we dont respond to ARPs.
+ # We do this so that the ip address will exist on a
+ # non-loopback interface so that samba may send it along in the
+ # KDC requests.
-
- # create a routing table for the natgw traffic and set it
- # up with both an interface toute for the private network
- # as well as a default route that goes via the NAT-GW
- ip route add $NATGW_PRIVATE_NETWORK dev $NATGW_PRIVATE_IFACE table 11
- ip route add 0.0.0.0/0 via $FIRSTIP dev $NATGW_PRIVATE_IFACE table 11 >/dev/null 2>/dev/null
-
- # Create a rule to use routing table 11 for these packets
- ip rule add fwmark 11 table 11
+ # Set the scope up as host and make sure we dont respond to ARP
+ # for this ip
+ echo 3 > /proc/sys/net/ipv4/conf/all/arp_ignore
+ ip addr add $NATGW_PUBLIC_IP_HOST dev $NATGW_PRIVATE_IFACE scope host
+
+ ip route add 0.0.0.0/0 via $FIRSTIP metric 10
fi
;;
+ shutdown)
+ delete_all
+ ;;
+
esac
exit 0
diff --git a/doc/ctdbd.1 b/doc/ctdbd.1
index c332beb..e379128 100644
--- a/doc/ctdbd.1
+++ b/doc/ctdbd.1
@@ -1,11 +1,11 @@
.\" Title: ctdbd
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
-.\" Date: 03/18/2009
+.\" Date: 03/19/2009
.\" Manual:
.\" Source:
.\"
-.TH "CTDBD" "1" "03/18/2009" "" ""
+.TH "CTDBD" "1" "03/19/2009" "" ""
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
@@ -427,7 +427,7 @@ If then the service status of CTDB depends on such services being able to always
There are two ways to solve this problem\. The first is by assigning a static ip address for one public interface on every node which will allow every node to be able to route traffic to the public network even if there are no public addresses assigned to the node\. This is the simplest way but it uses up a lot of ip addresses since you have to assign both static and also public addresses to each node\.
.SS "NAT\-GW"
.PP
-A second way is to use the built in NAT\-GW feature in CTDB\. With NAT\-GW only one extra address is required for the entire cluster instead of one address per node\.
+A second way is to use the built in NAT\-GW feature in CTDB\. With NAT\-GW only one extra address is required for the entire cluster instead of one address per node\. This extra address is dedicated to traffic that originates from the cluster and is destined for the external network\.
.PP
In NAT\-GW one of the nodes in the cluster is designated the NAT Gateway through which all traffic that is originated in the cluster will be routed through if the public addresses are not available\.
.SS "Configuration"
@@ -455,22 +455,18 @@ NAT\-GW is configured in /etc/sysconfig/ctdb by setting the following variables:
# to use NAT MASQUERADING for all traffic from the internal private network
# to the external network\. This node is the NAT\-GW node\.
#
-# All other nodes are set up with policy routing so that all traffic with
-# a source address of the private network and a destination outside of
-# the private network are instead routed through the NAT\-GW node\.
+# All other nodes are set up with a default rote with a metric of 10 to point
+# to the nat\-gw node\.
#
# The effect of this is that only when a node does not have a public address
-# or a route to the external network will the node use the private address
-# as the source address and only then will it use the policy routing
-# through the NAT\-GW\.
-# As long as a node has a public address and can route to the external network
-# the node will always pick the public address as the source address and NAT\-GW
-# routing will not be used\.
-#NATGW_PUBLIC_IP=10\.0\.0\.227/24
-#NATGW_PUBLIC_IFACE=eth0
-#NATGW_DEFAULT_GATEWAY=10\.0\.0\.1
-#NATGW_PRIVATE_IFACE=eth1
-#NATGW_PRIVATE_NETWORK=10\.1\.1\.0/24
+# and thus no proper routes to the external world it will instead
+# route all packets through the nat\-gw node\.
+#
+# NATGW_PUBLIC_IP=10\.0\.0\.227/24
+# NATGW_PUBLIC_IFACE=eth0
+# NATGW_DEFAULT_GATEWAY=10\.0\.0\.1
+# NATGW_PRIVATE_IFACE=eth1
+# NATGW_PRIVATE_NETWORK=10\.1\.1\.0/24
.fi
.RE
@@ -505,7 +501,7 @@ When the NAT\-GW fiunctionality is used, one of the nodes is elected to act as a
.PP
The NAT\-GW node is assigned the NATGW_PUBLIC_IP to the designated interface and the provided default route\. The NAT\-GW is configured to act as a router and to masquerade all traffic it receives from the internal private network and which is destined to the external network(s)\.
.PP
-All other nodes are configured with policy routing so that all outgoing packets that have a source ip address belonging to the private network (which means they are not routable from the public network) are instead sent on to the designated NAT\-GW host instead of using the normal routing table\.
+All other nodes are configured with a default route of metric 10 pointing to the designated NAT GW node\.
.PP
This is implemented in the 11\.natgw eventscript\. Please see the eventscript for further information\.
.SH "SEE ALSO"
diff --git a/doc/ctdbd.1.html b/doc/ctdbd.1.html
index c1eb248..61d3d93 100644
--- a/doc/ctdbd.1.html
+++ b/doc/ctdbd.1.html
@@ -441,12 +441,14 @@ CTDB_CAPABILITY_RECMASTER=no
</p><div class="refsect2" lang="en"><a name="id2529493"></a><h3>NAT-GW</h3><p>
A second way is to use the built in NAT-GW feature in CTDB.
With NAT-GW only one extra address is required for the entire cluster
- instead of one address per node.
+ instead of one address per node. This extra address is dedicated
+ to traffic that originates from the cluster and is destined for the
+ external network.
</p><p>
In NAT-GW one of the nodes in the cluster is designated the NAT Gateway
through which all traffic that is originated in the cluster will be
- routed through if the public addresses are not available.
- </p></div><div class="refsect2" lang="en"><a name="id2529512"></a><h3>Configuration</h3><p>
+ routed through if the public addresses are not available.
+ </p></div><div class="refsect2" lang="en"><a name="id2529514"></a><h3>Configuration</h3><p>
NAT-GW is configured in /etc/sysconfig/ctdb by setting the following
variables:
</p><pre class="screen">
@@ -469,48 +471,44 @@ CTDB_CAPABILITY_RECMASTER=no
# to use NAT MASQUERADING for all traffic from the internal private network
# to the external network. This node is the NAT-GW node.
#
-# All other nodes are set up with policy routing so that all traffic with
-# a source address of the private network and a destination outside of
-# the private network are instead routed through the NAT-GW node.
+# All other nodes are set up with a default rote with a metric of 10 to point
+# to the nat-gw node.
#
# The effect of this is that only when a node does not have a public address
-# or a route to the external network will the node use the private address
-# as the source address and only then will it use the policy routing
-# through the NAT-GW.
-# As long as a node has a public address and can route to the external network
-# the node will always pick the public address as the source address and NAT-GW
-# routing will not be used.
-#NATGW_PUBLIC_IP=10.0.0.227/24
-#NATGW_PUBLIC_IFACE=eth0
-#NATGW_DEFAULT_GATEWAY=10.0.0.1
-#NATGW_PRIVATE_IFACE=eth1
-#NATGW_PRIVATE_NETWORK=10.1.1.0/24
- </pre></div><div class="refsect2" lang="en"><a name="id2529559"></a><h3>NATGW_PUBLIC_IP</h3><p>
+# and thus no proper routes to the external world it will instead
+# route all packets through the nat-gw node.
+#
+# NATGW_PUBLIC_IP=10.0.0.227/24
+# NATGW_PUBLIC_IFACE=eth0
+# NATGW_DEFAULT_GATEWAY=10.0.0.1
+# NATGW_PRIVATE_IFACE=eth1
+# NATGW_PRIVATE_NETWORK=10.1.1.0/24
+ </pre></div><div class="refsect2" lang="en"><a name="id2529555"></a><h3>NATGW_PUBLIC_IP</h3><p>
This is an ip address in the public network that is used for all outgoing
traffic when the public addresses are not assigned.
This address will be assigned to one of the nodes in the cluster which
will masquerade all traffic for the other nodes.
</p><p>
Format of this parameter is IPADDRESS/NETMASK
- </p></div><div class="refsect2" lang="en"><a name="id2476134"></a><h3>NATGW_PUBLIC_IFACE</h3><p>
+ </p></div><div class="refsect2" lang="en"><a name="id2476128"></a><h3>NATGW_PUBLIC_IFACE</h3><p>
This is the physical interface where the NATGW_PUBLIC_IP will be
assigned to. This should be an interface connected to the public network.
</p><p>
Format of this parameter is INTERFACE
- </p></div><div class="refsect2" lang="en"><a name="id2476150"></a><h3>NATGW_DEFAULT_GATEWAY</h3><p>
+ </p></div><div class="refsect2" lang="en"><a name="id2476144"></a><h3>NATGW_DEFAULT_GATEWAY</h3><p>
This is the default gateway to use on the node that is elected to host
the NATGW_PUBLIC_IP. This is the default gateway on the public network.
</p><p>
Format of this parameter is IPADDRESS
- </p></div><div class="refsect2" lang="en"><a name="id2476166"></a><h3>NATGW_PRIVATE_IFACE</h3><p>
+ </p></div><div class="refsect2" lang="en"><a name="id2476160"></a><h3>NATGW_PRIVATE_IFACE</h3><p>
This is the interface used for the interal private network.
</p><p>
Format of this parameter is INTERFACE
- </p></div><div class="refsect2" lang="en"><a name="id2476180"></a><h3>NATGW_PRIVATE_NETWORK</h3><p>
+ </p></div><div class="refsect2" lang="en"><a name="id2476174"></a><h3>NATGW_PRIVATE_NETWORK</h3><p>
This is the network/netmask used for the interal private network.
</p><p>
Format of this parameter is IPADDRESS/NETMASK
- </p></div><div class="refsect2" lang="en"><a name="id2476194"></a><h3>Operation</h3><p>
+ </p></div><div class="refsect2" lang="en"><a name="id2476188"></a><h3>Operation</h3><p>
When the NAT-GW fiunctionality is used, one of the nodes is elected
to act as a NAT router for all the other nodes in the cluster when
they need to originate traffic to the external public network.
@@ -520,18 +518,15 @@ CTDB_CAPABILITY_RECMASTER=no
to act as a router and to masquerade all traffic it receives from the
internal private network and which is destined to the external network(s).
</p><p>
- All other nodes are configured with policy routing so that all outgoing
- packets that have a source ip address belonging to the private network
- (which means they are not routable from the public network) are instead
- sent on to the designated NAT-GW host instead of using the normal
- routing table.
+ All other nodes are configured with a default route of metric 10 pointing
+ to the designated NAT GW node.
</p><p>
This is implemented in the 11.natgw eventscript. Please see the
eventscript for further information.
- </p></div></div><div class="refsect1" lang="en"><a name="id2476230"></a><h2>SEE ALSO</h2><p>
+ </p></div></div><div class="refsect1" lang="en"><a name="id2476221"></a><h2>SEE ALSO</h2><p>
ctdb(1), onnode(1)
<a class="ulink" href="http://ctdb.samba.org/" target="_top">http://ctdb.samba.org/</a>
- </p></div><div class="refsect1" lang="en"><a name="id2476243"></a><h2>COPYRIGHT/LICENSE</h2><div class="literallayout"><p><br>
+ </p></div><div class="refsect1" lang="en"><a name="id2476234"></a><h2>COPYRIGHT/LICENSE</h2><div class="literallayout"><p><br>
Copyright (C) Andrew Tridgell 2007<br>
Copyright (C) Ronnie sahlberg 2007<br>
<br>
diff --git a/doc/ctdbd.1.xml b/doc/ctdbd.1.xml
index 48dc0e2..d5e3824 100644
--- a/doc/ctdbd.1.xml
+++ b/doc/ctdbd.1.xml
@@ -812,12 +812,14 @@ CTDB_CAPABILITY_RECMASTER=no
<para>
A second way is to use the built in NAT-GW feature in CTDB.
With NAT-GW only one extra address is required for the entire cluster
- instead of one address per node.
+ instead of one address per node. This extra address is dedicated
+ to traffic that originates from the cluster and is destined for the
+ external network.
</para>
<para>
In NAT-GW one of the nodes in the cluster is designated the NAT Gateway
through which all traffic that is originated in the cluster will be
- routed through if the public addresses are not available.
+ routed through if the public addresses are not available.
</para>
</refsect2>
@@ -846,22 +848,18 @@ CTDB_CAPABILITY_RECMASTER=no
# to use NAT MASQUERADING for all traffic from the internal private network
# to the external network. This node is the NAT-GW node.
#
-# All other nodes are set up with policy routing so that all traffic with
-# a source address of the private network and a destination outside of
-# the private network are instead routed through the NAT-GW node.
+# All other nodes are set up with a default rote with a metric of 10 to point
+# to the nat-gw node.
#
# The effect of this is that only when a node does not have a public address
-# or a route to the external network will the node use the private address
-# as the source address and only then will it use the policy routing
-# through the NAT-GW.
-# As long as a node has a public address and can route to the external network
-# the node will always pick the public address as the source address and NAT-GW
-# routing will not be used.
-#NATGW_PUBLIC_IP=10.0.0.227/24
-#NATGW_PUBLIC_IFACE=eth0
-#NATGW_DEFAULT_GATEWAY=10.0.0.1
-#NATGW_PRIVATE_IFACE=eth1
-#NATGW_PRIVATE_NETWORK=10.1.1.0/24
+# and thus no proper routes to the external world it will instead
+# route all packets through the nat-gw node.
+#
+# NATGW_PUBLIC_IP=10.0.0.227/24
+# NATGW_PUBLIC_IFACE=eth0
+# NATGW_DEFAULT_GATEWAY=10.0.0.1
+# NATGW_PRIVATE_IFACE=eth1
+# NATGW_PRIVATE_NETWORK=10.1.1.0/24
</screen>
</refsect2>
@@ -928,11 +926,8 @@ CTDB_CAPABILITY_RECMASTER=no
internal private network and which is destined to the external network(s).
</para>
<para>
- All other nodes are configured with policy routing so that all outgoing
- packets that have a source ip address belonging to the private network
- (which means they are not routable from the public network) are instead
- sent on to the designated NAT-GW host instead of using the normal
- routing table.
+ All other nodes are configured with a default route of metric 10 pointing
+ to the designated NAT GW node.
</para>
<para>
This is implemented in the 11.natgw eventscript. Please see the
--
CTDB repository
More information about the samba-cvs
mailing list