diff options
-rw-r--r-- | scripts/vyatta-wanloadbalance.pl | 4 | ||||
-rw-r--r-- | src/lbdata.hh | 3 | ||||
-rw-r--r-- | src/lbdatafactory.cc | 9 | ||||
-rw-r--r-- | src/lbdatafactory.hh | 3 | ||||
-rw-r--r-- | src/lbdecision.cc | 99 | ||||
-rw-r--r-- | templates/load-balancing/wan/disable-local-traffic/node.def | 1 |
6 files changed, 85 insertions, 34 deletions
diff --git a/scripts/vyatta-wanloadbalance.pl b/scripts/vyatta-wanloadbalance.pl index 57e0ae1..7e1051c 100644 --- a/scripts/vyatta-wanloadbalance.pl +++ b/scripts/vyatta-wanloadbalance.pl @@ -29,6 +29,10 @@ sub write_health { print FILE_LCK "disable-source-nat\n"; } + if ($config->exists("load-balancing wan disable-local-traffic")) { + print FILE_LCK "disable-local-traffic\n"; + } + if ($config->exists("load-balancing wan flush-connections")) { print FILE_LCK "flush-conntrack\n"; } diff --git a/src/lbdata.hh b/src/lbdata.hh index 287ca35..c92c30d 100644 --- a/src/lbdata.hh +++ b/src/lbdata.hh @@ -196,7 +196,7 @@ class LBData { typedef map<string,LBHealth>::iterator InterfaceHealthIter; typedef map<string,LBHealth>::const_iterator InterfaceHealthConstIter; - LBData() : _disable_source_nat(false),_flush_conntrack(false) {} + LBData() : _disable_source_nat(false),_disable_local_traffic(false),_flush_conntrack(false) {} bool error() {return false;} @@ -223,6 +223,7 @@ class LBData { InterfaceHealthColl _iface_health_coll; bool _disable_source_nat; + bool _disable_local_traffic; bool _flush_conntrack; string _hook; }; diff --git a/src/lbdatafactory.cc b/src/lbdatafactory.cc index f708096..849e890 100644 --- a/src/lbdatafactory.cc +++ b/src/lbdatafactory.cc @@ -141,6 +141,9 @@ LBDataFactory::process(const vector<string> &path, int depth, const string &key, if (path[0] == "disable-source-nat") { process_disablesourcenat(l_key,l_value); } + else if (path[0] == "disable-local-traffic") { + process_disablelocaltraffic(l_key,l_value); + } else if (path[0] == "flush-conntrack") { process_flushconntrack(l_key,l_value); } @@ -211,6 +214,12 @@ LBDataFactory::process_disablesourcenat(const string &key, const string &value) } void +LBDataFactory::process_disablelocaltraffic(const string &key, const string &value) +{ + _lb_data._disable_local_traffic = true; +} + +void LBDataFactory::process_flushconntrack(const string &key, const string &value) { _lb_data._flush_conntrack = true; diff --git a/src/lbdatafactory.hh b/src/lbdatafactory.hh index f1a0896..6df9e51 100644 --- a/src/lbdatafactory.hh +++ b/src/lbdatafactory.hh @@ -44,6 +44,9 @@ private: process_disablesourcenat(const string &key, const string &value); void + process_disablelocaltraffic(const string &key, const string &value); + + void process_flushconntrack(const string &key, const string &value); void diff --git a/src/lbdecision.cc b/src/lbdecision.cc index 0f84630..ac86a48 100644 --- a/src/lbdecision.cc +++ b/src/lbdecision.cc @@ -118,21 +118,24 @@ if so then this stuff goes here! execute(string("iptables -t raw -A WLB_CONNTRACK -j ACCEPT"), stdout); execute(string("iptables -t raw -D PREROUTING -j WLB_CONNTRACK"), stdout); execute(string("iptables -t raw -I PREROUTING 1 -j WLB_CONNTRACK"), stdout); - execute(string("iptables -t raw -D OUTPUT -j WLB_CONNTRACK"), stdout); - execute(string("iptables -t raw -I OUTPUT 1 -j WLB_CONNTRACK"), stdout); - + + if (lbdata._disable_local_traffic == false) { + execute(string("iptables -t raw -D OUTPUT -j WLB_CONNTRACK"), stdout); + execute(string("iptables -t raw -I OUTPUT 1 -j WLB_CONNTRACK"), stdout); + } //set up mangle table execute(string("iptables -t mangle -N WANLOADBALANCE_PRE"), stdout); execute(string("iptables -t mangle -F WANLOADBALANCE_PRE"), stdout); execute(string("iptables -t mangle -A WANLOADBALANCE_PRE -j ACCEPT"), stdout); - execute(string("iptables -t mangle -N WANLOADBALANCE_OUT"), stdout); - execute(string("iptables -t mangle -F WANLOADBALANCE_OUT"), stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT -j ACCEPT"), stdout); execute(string("iptables -t mangle -D PREROUTING -j WANLOADBALANCE_PRE"), stdout); execute(string("iptables -t mangle -I PREROUTING 1 -j WANLOADBALANCE_PRE"), stdout); - execute(string("iptables -t mangle -D OUTPUT -j WANLOADBALANCE_OUT"), stdout); - execute(string("iptables -t mangle -I OUTPUT 1 -j WANLOADBALANCE_OUT"), stdout); - + if (lbdata._disable_local_traffic == false) { + execute(string("iptables -t mangle -N WANLOADBALANCE_OUT"), stdout); + execute(string("iptables -t mangle -F WANLOADBALANCE_OUT"), stdout); + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT -j ACCEPT"), stdout); + execute(string("iptables -t mangle -D OUTPUT -j WANLOADBALANCE_OUT"), stdout); + execute(string("iptables -t mangle -I OUTPUT 1 -j WANLOADBALANCE_OUT"), stdout); + } LBData::InterfaceHealthIter iter = lbdata._iface_health_coll.begin(); while (iter != lbdata._iface_health_coll.end()) { @@ -278,8 +281,11 @@ LBDecision::run(LBData &lb_data) //then if we do, flush all execute("iptables -t mangle -F WANLOADBALANCE_PRE", stdout); - execute("iptables -t mangle -F WANLOADBALANCE_OUT", stdout); - execute("iptables -t mangle -A WANLOADBALANCE_OUT -m mark ! --mark 0 -j ACCEPT", stdout); //avoid packets set in prerouting table + if (lb_data._disable_local_traffic == false) { + execute("iptables -t mangle -F WANLOADBALANCE_OUT", stdout); + execute("iptables -t mangle -A WANLOADBALANCE_OUT -m mark ! --mark 0 -j ACCEPT", stdout); //avoid packets set in prerouting table + execute("iptables -t mangle -A WANLOADBALANCE_OUT --source 127.0.0.1/8 --destination 127.0.0.1/8 -j ACCEPT", stdout); //avoid packets set in prerouting table + } //new request, bug 4112. flush conntrack tables if configured if (lb_data._flush_conntrack == true) { @@ -296,7 +302,9 @@ LBDecision::run(LBData &lb_data) if (iter->second._exclude == true) { execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -j ACCEPT", stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j ACCEPT", stdout); + if (lb_data._disable_local_traffic == false) { + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j ACCEPT", stdout); + } } else { map<string,float> weights = get_new_weights(lb_data,iter->second); @@ -312,11 +320,13 @@ LBDecision::run(LBData &lb_data) string limit_cmd = get_limit_cmd(iter->second); execute(string("iptables -t mangle -N WANLOADBALANCE_PRE_LIMIT_") + rule_str, stdout); execute(string("iptables -t mangle -F WANLOADBALANCE_PRE_LIMIT_") + rule_str, stdout); - execute(string("iptables -t mangle -N WANLOADBALANCE_OUT_LIMIT_") + rule_str, stdout); - execute(string("iptables -t mangle -F WANLOADBALANCE_OUT_LIMIT_") + rule_str, stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " " + limit_cmd + " -j WANLOADBALANCE_PRE_LIMIT_" + rule_str, stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " " + limit_cmd + " -j WANLOADBALANCE_OUT_LIMIT_" + rule_str, stdout); + + if (lb_data._disable_local_traffic == false) { + execute(string("iptables -t mangle -N WANLOADBALANCE_OUT_LIMIT_") + rule_str, stdout); + execute(string("iptables -t mangle -F WANLOADBALANCE_OUT_LIMIT_") + rule_str, stdout); + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " " + limit_cmd + " -j WANLOADBALANCE_OUT_LIMIT_" + rule_str, stdout); + } } char fbuf[20],dbuf[80]; @@ -328,22 +338,30 @@ LBDecision::run(LBData &lb_data) if (iter->second._limit) { //fill in limit statement here execute(string("iptables -t mangle -A WANLOADBALANCE_PRE_LIMIT_") + rule_str + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); + if (lb_data._disable_local_traffic == false) { + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); + } } else { execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); + if (lb_data._disable_local_traffic == false) { + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); + } } } else { if (iter->second._limit) { //fill in limit statement here execute(string("iptables -t mangle -A WANLOADBALANCE_PRE_LIMIT_") + rule_str + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); + if (lb_data._disable_local_traffic == false) { + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); + } } else { execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); + if (lb_data._disable_local_traffic == false) { + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); + } } } } @@ -352,13 +370,17 @@ LBDecision::run(LBData &lb_data) if (iter->second._limit) { //fill in limit statement here execute(string("iptables -t mangle -A WANLOADBALANCE_PRE_LIMIT_") + rule_str + " -j ISP_" + dbuf, stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -j ISP_" + dbuf, stdout); execute(string("iptables -t mangle -A WANLOADBALANCE_PRE_LIMIT_") + rule_str + " -j ACCEPT", stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -j ACCEPT", stdout); + if (lb_data._disable_local_traffic == false) { + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -j ISP_" + dbuf, stdout); + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -j ACCEPT", stdout); + } } else { execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -j ISP_" + dbuf, stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j ISP_" + dbuf, stdout); + if (lb_data._disable_local_traffic == false) { + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j ISP_" + dbuf, stdout); + } } } @@ -366,15 +388,21 @@ LBDecision::run(LBData &lb_data) if (iter->second._limit) { //fill in limit statement here execute(string("iptables -t mangle -A WANLOADBALANCE_PRE_LIMIT_") + rule_str + " -m state --state NEW -j ISP_" + dbuf, stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m state --state NEW -j ISP_" + dbuf, stdout); + if (lb_data._disable_local_traffic == false) { + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT_LIMIT_") + rule_str + " -m state --state NEW -j ISP_" + dbuf, stdout); + } } else { execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -m state --state NEW -j ISP_" + dbuf, stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m state --state NEW -j ISP_" + dbuf, stdout); + if (lb_data._disable_local_traffic == false) { + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -m state --state NEW -j ISP_" + dbuf, stdout); + } } } execute(string("iptables -t mangle -A WANLOADBALANCE_PRE ") + app_cmd + " -j CONNMARK --restore-mark", stdout); - execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j CONNMARK --restore-mark", stdout); + if (lb_data._disable_local_traffic == false) { + execute(string("iptables -t mangle -A WANLOADBALANCE_OUT ") + app_cmd_local + " -j CONNMARK --restore-mark", stdout); + } } } ++iter; @@ -392,21 +420,24 @@ LBDecision::shutdown(LBData &data) //then if we do, flush all execute("iptables -t mangle -D PREROUTING -j WANLOADBALANCE_PRE", stdout); - execute("iptables -t mangle -D OUTPUT -j WANLOADBALANCE_OUT", stdout); execute("iptables -t mangle -F WANLOADBALANCE_PRE", stdout); - execute("iptables -t mangle -F WANLOADBALANCE_OUT", stdout); execute("iptables -t mangle -X WANLOADBALANCE_PRE", stdout); - execute("iptables -t mangle -X WANLOADBALANCE_OUT", stdout); - + if (data._disable_local_traffic == false) { + execute("iptables -t mangle -D OUTPUT -j WANLOADBALANCE_OUT", stdout); + execute("iptables -t mangle -F WANLOADBALANCE_OUT", stdout); + execute("iptables -t mangle -X WANLOADBALANCE_OUT", stdout); + } LBData::LBRuleIter iter = data._lb_rule_coll.begin(); while (iter != data._lb_rule_coll.end()) { if (iter->second._limit) { char rule_str[20]; sprintf(rule_str,"%d",iter->first); execute(string("iptables -t mangle -F WANLOADBALANCE_PRE_LIMIT_") + rule_str,stdout); - execute(string("iptables -t mangle -F WANLOADBALANCE_OUT_LIMIT_") + rule_str,stdout); execute(string("iptables -t mangle -X WANLOADBALANCE_PRE_LIMIT_") + rule_str,stdout); - execute(string("iptables -t mangle -X WANLOADBALANCE_OUT_LIMIT_") + rule_str,stdout); + if (data._disable_local_traffic == false) { + execute(string("iptables -t mangle -F WANLOADBALANCE_OUT_LIMIT_") + rule_str,stdout); + execute(string("iptables -t mangle -X WANLOADBALANCE_OUT_LIMIT_") + rule_str,stdout); + } } ++iter; } @@ -417,7 +448,9 @@ LBDecision::shutdown(LBData &data) //clear out conntrack hooks execute(string("iptables -t raw -D PREROUTING -j WLB_CONNTRACK"), stdout); - execute(string("iptables -t raw -D OUTPUT -j WLB_CONNTRACK"), stdout); + if (data._disable_local_traffic == false) { + execute(string("iptables -t raw -D OUTPUT -j WLB_CONNTRACK"), stdout); + } execute(string("iptables -t raw -F WLB_CONNTRACK"), stdout); execute(string("iptables -t raw -X WLB_CONNTRACK"), stdout); diff --git a/templates/load-balancing/wan/disable-local-traffic/node.def b/templates/load-balancing/wan/disable-local-traffic/node.def new file mode 100644 index 0000000..78e2098 --- /dev/null +++ b/templates/load-balancing/wan/disable-local-traffic/node.def @@ -0,0 +1 @@ +help: Set to disable wan load balancing from balancing all locally sourced traffic. |