diff options
| author | Martin Schwenke <martin@meltin.net> | 2014-12-30 17:01:21 +1100 |
|---|---|---|
| committer | Amitay Isaacs <amitay@samba.org> | 2015-01-28 06:01:08 +0100 |
| commit | d1bd26e5eb25aee2ce82ef178692a64073a99aa0 (patch) | |
| tree | da322e2cec31d43d28dae638c9c8c74695a0b367 /ctdb | |
| parent | 4ea40ed0c1e054b26488158ded8cc0b7eda1c302 (diff) | |
| download | samba-d1bd26e5eb25aee2ce82ef178692a64073a99aa0.tar.gz samba-d1bd26e5eb25aee2ce82ef178692a64073a99aa0.tar.xz samba-d1bd26e5eb25aee2ce82ef178692a64073a99aa0.zip | |
ctdb-scripts: Make 70.iscsi IPv6-aware
Block iSCSI port for families of all address the node is configured to
host.
Could just unconditional add blocking using ip6tables instead.
However, this would produce errors when no IPv6 public addresses are
configured and ip6tables is not installed.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Diffstat (limited to 'ctdb')
| -rwxr-xr-x | ctdb/config/events.d/70.iscsi | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/ctdb/config/events.d/70.iscsi b/ctdb/config/events.d/70.iscsi index 4627822e9c..06a8f07957 100755 --- a/ctdb/config/events.d/70.iscsi +++ b/ctdb/config/events.d/70.iscsi @@ -21,9 +21,28 @@ is_ctdb_managed_service || exit 0 case "$1" in ipreallocated) - # block the iscsi port - iptables -I INPUT 1 -p tcp --dport 3260 -j DROP - + all_ips=$(ctdb -X ip | tail -n +2) + + # Block the iSCSI port. Only block for the address families + # we have configured. This copes with, for example, ip6tables + # being unavailable on an IPv4-only system. + have_ipv4=false + have_ipv6=false + while IFS='|' read x ip pnn x ; do + case "$ip" in + *:*) have_ipv6=true ;; + *) have_ipv4=true ;; + esac + done <<EOF +$all_ips +EOF + if $have_ipv4 ; then + iptables -I INPUT 1 -p tcp --dport 3260 -j DROP + fi + if $have_ipv6 ; then + ip6tables -I INPUT 1 -p tcp --dport 3260 -j DROP + fi + # shut down the iscsi service killall -9 tgtd >/dev/null 2>/dev/null @@ -36,7 +55,8 @@ case "$1" in # start the iscsi daemon tgtd >/dev/null 2>/dev/null - ips=$(ctdb -X ip | awk -F'|' -v pnn=$this_node '$3 == pnn {print $2}') + # Run a script for each currently hosted public IP address + ips=$(echo "$all_ips" | awk -F'|' -v pnn=$this_node '$3 == pnn {print $2}') for ip in $ips ; do script="${CTDB_START_ISCSI_SCRIPTS}/${ip}.sh" if [ -x "$script" ] ; then @@ -45,10 +65,14 @@ case "$1" in fi done - # remove all iptables rules + # Unblock iSCSI port. These can be unconditional (compared to + # blocking above), since errors are redirected. while iptables -D INPUT -p tcp --dport 3260 -j DROP >/dev/null 2>&1 ; do : done + while ip6tables -D INPUT -p tcp --dport 3260 -j DROP >/dev/null 2>&1 ; do + : + done ;; |