Vyatta Bugfix 6245: Sticky incoming connection support for WLB

Signed-off-by: Daniil Baturin <daniil@baturin.org>

4 files changed, 31 insertions, 3 deletions

diff --git a/src/lbdata.hh b/src/lbdata.hh
index 3c86854..0b4175c 100644
--- a/src/lbdata.hh
+++ b/src/lbdata.hh
@@ -196,7 +196,7 @@ class LBData {
   typedef map<string,LBHealth>::iterator InterfaceHealthIter;
   typedef map<string,LBHealth>::const_iterator InterfaceHealthConstIter;
 
-  LBData() : _disable_source_nat(false),_enable_local_traffic(false),_flush_conntrack(false) {}
+  LBData() : _disable_source_nat(false),_enable_local_traffic(false),_flush_conntrack(false),_sticky_inbound_connections(false) {}
 
   bool
   error() {return false;}
@@ -225,6 +225,7 @@ class LBData {
   bool _disable_source_nat;
   bool _enable_local_traffic;
   bool _flush_conntrack;
+  bool _sticky_inbound_connections;
   string _hook;
 };
 
diff --git a/src/lbdatafactory.cc b/src/lbdatafactory.cc
index 653e270..9729e62 100644
--- a/src/lbdatafactory.cc
+++ b/src/lbdatafactory.cc
@@ -146,6 +146,11 @@ LBDataFactory::process(const vector<string> &path, int depth, const string &key,
   else if (path[0] == "enable-local-traffic") {
     process_enablelocaltraffic(l_key,l_value);
   }
+  else if (path[0] == "sticky-connections") {
+	if (l_value == "inbound") {
+      process_stickyinboundconnections(l_key,l_value);
+    }
+  }  
   else if (path[0] == "flush-conntrack") {
     process_flushconntrack(l_key,l_value);
   }
@@ -225,6 +230,12 @@ LBDataFactory::process_enablelocaltraffic(const string &key, const string &value
 }
 
 void
+LBDataFactory::process_stickyinboundconnections(const string &key, const string &value)
+{
+  _lb_data._sticky_inbound_connections = true;
+}
+
+void
 LBDataFactory::process_flushconntrack(const string &key, const string &value)
 {
   _lb_data._flush_conntrack = true;
diff --git a/src/lbdatafactory.hh b/src/lbdatafactory.hh
index cfa62ee..9178e00 100644
--- a/src/lbdatafactory.hh
+++ b/src/lbdatafactory.hh
@@ -47,6 +47,9 @@ private:
   process_enablelocaltraffic(const string &key, const string &value);
 
   void
+  process_stickyinboundconnections(const string &key, const string &value);
+  
+  void
   process_flushconntrack(const string &key, const string &value);
 
   void
diff --git a/src/lbdecision.cc b/src/lbdecision.cc
index 8774189..2dd10a6 100644
--- a/src/lbdecision.cc
+++ b/src/lbdecision.cc
@@ -22,7 +22,6 @@
 #include "lbdecision.hh"
 
 using namespace std;
-
 /*
 iptables -t mangle -N ISP1
 iptables -t mangle -A ISP1 -j CONNMARK --set-mark 1
@@ -164,7 +163,15 @@ if so then this stuff goes here!
 
     //NOTE, WILL NEED A WAY TO CLEAN UP THIS RULE ON RESTART...
     execute(string("iptables -t mangle -A ISP_") + iface + " -j ACCEPT", stdout);
-    
+
+	if (lbdata._sticky_inbound_connections == true) {
+		//Mark incoming connections so that return packets go back on the same interface
+		execute(string("iptables -t mangle -N ISP_") + iface + "_IN", stdout);
+		execute(string("iptables -t mangle -F ISP_") + iface + "_IN", stdout);
+		execute(string("iptables -t mangle -A ISP_") + iface + "_IN -j CONNMARK --set-mark " + buf, stdout);
+		execute(string("iptables -t mangle -I PREROUTING -i ") + iface + " -m state --state NEW -j ISP_" + iface + "_IN", stdout);	
+	}
+	
     //need to force the entry on restart as the configuration may have changed.
     if (iter->second._nexthop == "dhcp") {
       if (iter->second._dhcp_nexthop.empty() == false) {
@@ -486,6 +493,12 @@ LBDecision::shutdown(LBData &data)
     execute(string("iptables -t mangle -F ISP_") + h_iter->first,stdout);
     execute(string("iptables -t mangle -X ISP_") + h_iter->first,stdout);
 
+	if (data._sticky_inbound_connections == true) {
+		execute(string("iptables -t mangle -D PREROUTING -i ") + h_iter->first + " -m state --state NEW -j ISP_" + h_iter->first + "_IN", stdout);
+		execute(string("iptables -t mangle -F ISP_") + h_iter->first + "_IN",stdout);
+		execute(string("iptables -t mangle -X ISP_") + h_iter->first + "_IN",stdout);
+	}
+	
     ++h_iter;
   }
 }