summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--scripts/vyatta-wanloadbalance.pl4
-rw-r--r--src/lbdata.hh3
-rw-r--r--src/lbdatafactory.cc9
-rw-r--r--src/lbdatafactory.hh3
-rw-r--r--src/lbdecision.cc99
-rw-r--r--templates/load-balancing/wan/disable-local-traffic/node.def1
6 files changed, 85 insertions, 34 deletions
diff --git a/scripts/vyatta-wanloadbalance.pl b/scripts/vyatta-wanloadbalance.pl
index 57e0ae1..7e1051c 100644
--- a/scripts/vyatta-wanloadbalance.pl
+++ b/scripts/vyatta-wanloadbalance.pl
@@ -29,6 +29,10 @@ sub write_health {
print FILE_LCK "disable-source-nat\n";
}
+ if ($config->exists("load-balancing wan disable-local-traffic")) {
+ print FILE_LCK "disable-local-traffic\n";
+ }
+
if ($config->exists("load-balancing wan flush-connections")) {
print FILE_LCK "flush-conntrack\n";
}
diff --git a/src/lbdata.hh b/src/lbdata.hh
index 287ca35..c92c30d 100644
--- a/src/lbdata.hh
+++ b/src/lbdata.hh
@@ -196,7 +196,7 @@ class LBData {
typedef map<string,LBHealth>::iterator InterfaceHealthIter;
typedef map<string,LBHealth>::const_iterator InterfaceHealthConstIter;
- LBData() : _disable_source_nat(false),_flush_conntrack(false) {}
+ LBData() : _disable_source_nat(false),_disable_local_traffic(false),_flush_conntrack(false) {}
bool
error() {return false;}
@@ -223,6 +223,7 @@ class LBData {
InterfaceHealthColl _iface_health_coll;
bool _disable_source_nat;
+ bool _disable_local_traffic;
bool _flush_conntrack;
string _hook;
};
diff --git a/src/lbdatafactory.cc b/src/lbdatafactory.cc
index f708096..849e890 100644
--- a/src/lbdatafactory.cc
+++ b/src/lbdatafactory.cc
@@ -141,6 +141,9 @@ LBDataFactory::process(const vector<string> &path, int depth, const string &key,
if (path[0] == "disable-source-nat") {
process_disablesourcenat(l_key,l_value);
}
+ else if (path[0] == "disable-local-traffic") {
+ process_disablelocaltraffic(l_key,l_value);
+ }
else if (path[0] == "flush-conntrack") {
process_flushconntrack(l_key,l_value);
}
@@ -211,6 +214,12 @@ LBDataFactory::process_disablesourcenat(const string &key, const string &value)
}
void
+LBDataFactory::process_disablelocaltraffic(const string &key, const string &value)
+{
+ _lb_data._disable_local_traffic = true;
+}
+
+void
LBDataFactory::process_flushconntrack(const string &key, const string &value)
{
_lb_data._flush_conntrack = true;
diff --git a/src/lbdatafactory.hh b/src/lbdatafactory.hh
index f1a0896..6df9e51 100644
--- a/src/lbdatafactory.hh
+++ b/src/lbdatafactory.hh
@@ -44,6 +44,9 @@ private:
process_disablesourcenat(const string &key, const string &value);
void
+ process_disablelocaltraffic(const string &key, const string &value);
+
+ void
process_flushconntrack(const string &key, const string &value);
void
diff --git a/src/lbdecision.cc b/src/lbdecision.cc
index 0f84630..ac86a48 100644
--- a/src/lbdecision.cc
+++ b/src/lbdecision.cc
@@ -118,21 +118,24 @@ if so then this stuff goes here!
execute(string("iptables -t raw -A WLB_CONNTRACK -j ACCEPT"), stdout);
execute(string("iptables -t raw -D PREROUTING -j WLB_CONNTRACK"), stdout);
execute(string("iptables -t raw -I PREROUTING 1 -j WLB_CONNTRACK"), stdout);
- execute(string("iptables -t raw -D OUTPUT -j WLB_CONNTRACK"), stdout);
- execute(string("iptables -t raw -I OUTPUT 1 -j WLB_CONNTRACK"), stdout);
-
+
+ if (lbdata._disable_local_traffic == false) {
+ execute(string("iptables -t raw -D OUTPUT -j WLB_CONNTRACK"), stdout);
+ execute(string("iptables -t raw -I OUTPUT 1 -j WLB_CONNTRACK"), stdout);
+ }
//set up mangle table
execute(string("iptables -t mangle -N WANLOADBALANCE_PRE"), stdout);
execute(string("iptables -t mangle -F WANLOADBALANCE_PRE"), stdout);
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE -j ACCEPT"), stdout);
- execute(string("iptables -t mangle -N WANLOADBALANCE_OUT"), stdout);
- execute(string("iptables -t mangle -F WANLOADBALANCE_OUT"), stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT -j ACCEPT"), stdout);
execute(string("iptables -t mangle -D PREROUTING -j WANLOADBALANCE_PRE"), stdout);
execute(string("iptables -t mangle -I PREROUTING 1 -j WANLOADBALANCE_PRE"), stdout);
- execute(string("iptables -t mangle -D OUTPUT -j WANLOADBALANCE_OUT"), stdout);
- execute(string("iptables -t mangle -I OUTPUT 1 -j WANLOADBALANCE_OUT"), stdout);
-
+ if (lbdata._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -N WANLOADBALANCE_OUT"), stdout);
+ execute(string("iptables -t mangle -F WANLOADBALANCE_OUT"), stdout);
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT -j ACCEPT"), stdout);
+ execute(string("iptables -t mangle -D OUTPUT -j WANLOADBALANCE_OUT"), stdout);
+ execute(string("iptables -t mangle -I OUTPUT 1 -j WANLOADBALANCE_OUT"), stdout);
+ }
LBData::InterfaceHealthIter iter = lbdata._iface_health_coll.begin();
while (iter != lbdata._iface_health_coll.end()) {
@@ -278,8 +281,11 @@ LBDecision::run(LBData &lb_data)
//then if we do, flush all
execute("iptables -t mangle -F WANLOADBALANCE_PRE", stdout);
- execute("iptables -t mangle -F WANLOADBALANCE_OUT", stdout);
- execute("iptables -t mangle -A WANLOADBALANCE_OUT -m mark ! --mark 0 -j ACCEPT", stdout); //avoid packets set in prerouting table
+ if (lb_data._disable_local_traffic == false) {
+ execute("iptables -t mangle -F WANLOADBALANCE_OUT", stdout);
+ execute("iptables -t mangle -A WANLOADBALANCE_OUT -m mark ! --mark 0 -j ACCEPT", stdout); //avoid packets set in prerouting table
+ execute("iptables -t mangle -A WANLOADBALANCE_OUT --source 127.0.0.1/8 --destination 127.0.0.1/8 -j ACCEPT", stdout); //avoid packets set in prerouting table
+ }
//new request, bug 4112. flush conntrack tables if configured
if (lb_data._flush_conntrack == true) {
@@ -296,7 +302,9 @@ LBDecision::run(LBData &lb_data)
if (iter->second._exclude == true) {
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -j ACCEPT", stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j ACCEPT", stdout);
+ if (lb_data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j ACCEPT", stdout);
+ }
}
else {
map<string,float> weights = get_new_weights(lb_data,iter->second);
@@ -312,11 +320,13 @@ LBDecision::run(LBData &lb_data)
string limit_cmd = get_limit_cmd(iter->second);
execute(string("iptables -t mangle -N WANLOADBALANCE_PRE_LIMIT_") + rule_str, stdout);
execute(string("iptables -t mangle -F WANLOADBALANCE_PRE_LIMIT_") + rule_str, stdout);
- execute(string("iptables -t mangle -N WANLOADBALANCE_OUT_LIMIT_") + rule_str, stdout);
- execute(string("iptables -t mangle -F WANLOADBALANCE_OUT_LIMIT_") + rule_str, stdout);
-
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " " + limit_cmd + " -j WANLOADBALANCE_PRE_LIMIT_" + rule_str, stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " " + limit_cmd + " -j WANLOADBALANCE_OUT_LIMIT_" + rule_str, stdout);
+
+ if (lb_data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -N WANLOADBALANCE_OUT_LIMIT_") + rule_str, stdout);
+ execute(string("iptables -t mangle -F WANLOADBALANCE_OUT_LIMIT_") + rule_str, stdout);
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " " + limit_cmd + " -j WANLOADBALANCE_OUT_LIMIT_" + rule_str, stdout);
+ }
}
char fbuf[20],dbuf[80];
@@ -328,22 +338,30 @@ LBDecision::run(LBData &lb_data)
if (iter->second._limit) {
//fill in limit statement here
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE_LIMIT_") + rule_str + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
+ if (lb_data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
+ }
}
else {
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
+ if (lb_data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
+ }
}
}
else {
if (iter->second._limit) {
//fill in limit statement here
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE_LIMIT_") + rule_str + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
+ if (lb_data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
+ }
}
else {
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
+ if (lb_data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout);
+ }
}
}
}
@@ -352,13 +370,17 @@ LBDecision::run(LBData &lb_data)
if (iter->second._limit) {
//fill in limit statement here
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE_LIMIT_") + rule_str + " -j ISP_" + dbuf, stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -j ISP_" + dbuf, stdout);
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE_LIMIT_") + rule_str + " -j ACCEPT", stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -j ACCEPT", stdout);
+ if (lb_data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -j ISP_" + dbuf, stdout);
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -j ACCEPT", stdout);
+ }
}
else {
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -j ISP_" + dbuf, stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j ISP_" + dbuf, stdout);
+ if (lb_data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j ISP_" + dbuf, stdout);
+ }
}
}
@@ -366,15 +388,21 @@ LBDecision::run(LBData &lb_data)
if (iter->second._limit) {
//fill in limit statement here
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE_LIMIT_") + rule_str + " -m state --state NEW -j ISP_" + dbuf, stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m state --state NEW -j ISP_" + dbuf, stdout);
+ if (lb_data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m state --state NEW -j ISP_" + dbuf, stdout);
+ }
}
else {
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -m state --state NEW -j ISP_" + dbuf, stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m state --state NEW -j ISP_" + dbuf, stdout);
+ if (lb_data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m state --state NEW -j ISP_" + dbuf, stdout);
+ }
}
}
execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -j CONNMARK --restore-mark", stdout);
- execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j CONNMARK --restore-mark", stdout);
+ if (lb_data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j CONNMARK --restore-mark", stdout);
+ }
}
}
++iter;
@@ -392,21 +420,24 @@ LBDecision::shutdown(LBData &data)
//then if we do, flush all
execute("iptables -t mangle -D PREROUTING -j WANLOADBALANCE_PRE", stdout);
- execute("iptables -t mangle -D OUTPUT -j WANLOADBALANCE_OUT", stdout);
execute("iptables -t mangle -F WANLOADBALANCE_PRE", stdout);
- execute("iptables -t mangle -F WANLOADBALANCE_OUT", stdout);
execute("iptables -t mangle -X WANLOADBALANCE_PRE", stdout);
- execute("iptables -t mangle -X WANLOADBALANCE_OUT", stdout);
-
+ if (data._disable_local_traffic == false) {
+ execute("iptables -t mangle -D OUTPUT -j WANLOADBALANCE_OUT", stdout);
+ execute("iptables -t mangle -F WANLOADBALANCE_OUT", stdout);
+ execute("iptables -t mangle -X WANLOADBALANCE_OUT", stdout);
+ }
LBData::LBRuleIter iter = data._lb_rule_coll.begin();
while (iter != data._lb_rule_coll.end()) {
if (iter->second._limit) {
char rule_str[20];
sprintf(rule_str,"%d",iter->first);
execute(string("iptables -t mangle -F WANLOADBALANCE_PRE_LIMIT_") + rule_str,stdout);
- execute(string("iptables -t mangle -F WANLOADBALANCE_OUT_LIMIT_") + rule_str,stdout);
execute(string("iptables -t mangle -X WANLOADBALANCE_PRE_LIMIT_") + rule_str,stdout);
- execute(string("iptables -t mangle -X WANLOADBALANCE_OUT_LIMIT_") + rule_str,stdout);
+ if (data._disable_local_traffic == false) {
+ execute(string("iptables -t mangle -F WANLOADBALANCE_OUT_LIMIT_") + rule_str,stdout);
+ execute(string("iptables -t mangle -X WANLOADBALANCE_OUT_LIMIT_") + rule_str,stdout);
+ }
}
++iter;
}
@@ -417,7 +448,9 @@ LBDecision::shutdown(LBData &data)
//clear out conntrack hooks
execute(string("iptables -t raw -D PREROUTING -j WLB_CONNTRACK"), stdout);
- execute(string("iptables -t raw -D OUTPUT -j WLB_CONNTRACK"), stdout);
+ if (data._disable_local_traffic == false) {
+ execute(string("iptables -t raw -D OUTPUT -j WLB_CONNTRACK"), stdout);
+ }
execute(string("iptables -t raw -F WLB_CONNTRACK"), stdout);
execute(string("iptables -t raw -X WLB_CONNTRACK"), stdout);
diff --git a/templates/load-balancing/wan/disable-local-traffic/node.def b/templates/load-balancing/wan/disable-local-traffic/node.def
new file mode 100644
index 0000000..78e2098
--- /dev/null
+++ b/templates/load-balancing/wan/disable-local-traffic/node.def
@@ -0,0 +1 @@
+help: Set to disable wan load balancing from balancing all locally sourced traffic.