diff options
author | John Southworth <john.southworth@vyatta.com> | 2011-12-12 16:32:14 -0800 |
---|---|---|
committer | John Southworth <john.southworth@vyatta.com> | 2011-12-12 16:32:14 -0800 |
commit | 8b224e177ef4b2889d3e44940196230a24bde392 (patch) | |
tree | e4e4ef18378ba0f7264c0f0a00428a8fbad7e3d8 /scripts | |
parent | b4bae46e47eddfeb2a20c6995257710873a79cf9 (diff) | |
download | vyatta-cfg-system-8b224e177ef4b2889d3e44940196230a24bde392.tar.gz vyatta-cfg-system-8b224e177ef4b2889d3e44940196230a24bde392.zip |
Add filtering to transition scripts for vmac interfaces; Make transition script able to detect if the interface is a vmac interface before applying the vmac specific changes
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/keepalived/vyatta-keepalived.pl | 8 | ||||
-rwxr-xr-x | scripts/keepalived/vyatta-vrrp-state.pl | 30 |
2 files changed, 27 insertions, 11 deletions
diff --git a/scripts/keepalived/vyatta-keepalived.pl b/scripts/keepalived/vyatta-keepalived.pl index f7b6bfe7..5c7676ea 100755 --- a/scripts/keepalived/vyatta-keepalived.pl +++ b/scripts/keepalived/vyatta-keepalived.pl @@ -146,8 +146,10 @@ sub keepalived_get_values { } my $use_vmac = 0; + my $transition_intf = $intf; if ( $config->exists("interface") ) { $use_vmac = 1; + $transition_intf = "$intf"."v"."$group"; } my $priority = $config->returnValue("priority"); @@ -300,11 +302,11 @@ sub keepalived_get_values { } $output .= "\t\}\n"; $output .= "\tnotify_master \"$state_transition_script master "; - $output .= "$intf $group $run_master_script @vips\" \n"; + $output .= "$intf $group $transition_intf $run_master_script @vips\" \n"; $output .= "\tnotify_backup \"$state_transition_script backup "; - $output .= "$intf $group $run_backup_script @vips\" \n"; + $output .= "$intf $group $transition_intf $run_backup_script @vips\" \n"; $output .= "\tnotify_fault \"$state_transition_script fault "; - $output .= "$intf $group $run_fault_script @vips\" \n"; + $output .= "$intf $group $transition_intf $run_fault_script @vips\" \n"; $output .= "\}\n\n"; } diff --git a/scripts/keepalived/vyatta-vrrp-state.pl b/scripts/keepalived/vyatta-vrrp-state.pl index bb04df1d..d89aa061 100755 --- a/scripts/keepalived/vyatta-vrrp-state.pl +++ b/scripts/keepalived/vyatta-vrrp-state.pl @@ -46,9 +46,12 @@ sub vrrp_state_log { my $vrrp_state = $ARGV[0]; my $vrrp_intf = $ARGV[1]; my $vrrp_group = $ARGV[2]; -my $vrrp_transitionscript = $ARGV[3]; +# transition interface will contain the vmac interface +# when one is present and the vrrp interface when one is not +my $transition_intf = $ARGV[3]; +my $vrrp_transitionscript = $ARGV[4]; my @vrrp_vips; -foreach my $arg (4 .. $#ARGV) { +foreach my $arg (5 .. $#ARGV) { push @vrrp_vips, $ARGV[$arg]; } @@ -70,9 +73,16 @@ if ($vrrp_state eq 'backup') { # comment out for now, too expensive with lots of vrrp's at boot # Vyatta::Keepalived::snoop_for_master($vrrp_intf, $vrrp_group, # $vrrp_vips[0], 60); - $vrrp_intf =~ s/\./\//g; - system("sysctl -w net.ipv4.conf.".$vrrp_intf."v".$vrrp_group.".arp_filter=1"); - system("sysctl -w net.ipv4.conf.".$vrrp_intf."v".$vrrp_group.".accept_local=1"); + # Filter traffic incoming to the vmac interface when in backup state + # Delete the rule then add it to insure that we don't get duplicates + if ($transition_intf =~ m/\w+v\d+/){ + system("iptables -t raw -D VYATTA_VRRP_FILTER -i ".$transition_intf." ! -p 112 -j DROP"); + system("iptables -t raw -I VYATTA_VRRP_FILTER -i ".$transition_intf." ! -p 112 -j DROP"); + my $sysctl_intf = $transition_intf; + $sysctl_intf =~ s/\./\//g; + system("sysctl -w net.ipv4.conf.".$sysctl_intf.".arp_filter=1"); + system("sysctl -w net.ipv4.conf.".$sysctl_intf.".accept_local=1"); + } } elsif ($vrrp_state eq 'master') { # # keepalived will send gratuitous arp requests on master transition @@ -80,9 +90,13 @@ if ($vrrp_state eq 'backup') { # requests. Some of those host do respond to gratuitous arp replies # so here we will send 5 gratuitous arp replies also. # - $vrrp_intf =~ s/\./\//g; - system("sysctl -w net.ipv4.conf.".$vrrp_intf."v".$vrrp_group.".arp_filter=0"); - system("sysctl -w net.ipv4.conf.".$vrrp_intf."v".$vrrp_group.".accept_local=1"); + if ($transition_intf =~ m/\w+v\d+/){ + system("iptables -t raw -D VYATTA_VRRP_FILTER -i ".$transition_intf." ! -p 112 -j DROP"); + my $sysctl_intf = $transition_intf; + $sysctl_intf =~ s/\./\//g; + system("sysctl -w net.ipv4.conf.".$sysctl_intf.".arp_filter=0"); + system("sysctl -w net.ipv4.conf.".$sysctl_intf.".accept_local=1"); + } foreach my $vip (@vrrp_vips) { system("/usr/bin/arping -A -c5 -I $vrrp_intf $vip"); } |