diff options
| -rwxr-xr-x | ctdb/config/events.d/70.iscsi | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/ctdb/config/events.d/70.iscsi b/ctdb/config/events.d/70.iscsi index 4627822e9c..06a8f07957 100755 --- a/ctdb/config/events.d/70.iscsi +++ b/ctdb/config/events.d/70.iscsi @@ -21,9 +21,28 @@ is_ctdb_managed_service || exit 0 case "$1" in ipreallocated) - # block the iscsi port - iptables -I INPUT 1 -p tcp --dport 3260 -j DROP - + all_ips=$(ctdb -X ip | tail -n +2) + + # Block the iSCSI port. Only block for the address families + # we have configured. This copes with, for example, ip6tables + # being unavailable on an IPv4-only system. + have_ipv4=false + have_ipv6=false + while IFS='|' read x ip pnn x ; do + case "$ip" in + *:*) have_ipv6=true ;; + *) have_ipv4=true ;; + esac + done <<EOF +$all_ips +EOF + if $have_ipv4 ; then + iptables -I INPUT 1 -p tcp --dport 3260 -j DROP + fi + if $have_ipv6 ; then + ip6tables -I INPUT 1 -p tcp --dport 3260 -j DROP + fi + # shut down the iscsi service killall -9 tgtd >/dev/null 2>/dev/null @@ -36,7 +55,8 @@ case "$1" in # start the iscsi daemon tgtd >/dev/null 2>/dev/null - ips=$(ctdb -X ip | awk -F'|' -v pnn=$this_node '$3 == pnn {print $2}') + # Run a script for each currently hosted public IP address + ips=$(echo "$all_ips" | awk -F'|' -v pnn=$this_node '$3 == pnn {print $2}') for ip in $ips ; do script="${CTDB_START_ISCSI_SCRIPTS}/${ip}.sh" if [ -x "$script" ] ; then @@ -45,10 +65,14 @@ case "$1" in fi done - # remove all iptables rules + # Unblock iSCSI port. These can be unconditional (compared to + # blocking above), since errors are redirected. while iptables -D INPUT -p tcp --dport 3260 -j DROP >/dev/null 2>&1 ; do : done + while ip6tables -D INPUT -p tcp --dport 3260 -j DROP >/dev/null 2>&1 ; do + : + done ;; |