From 8df8f875d33bccdf5cd4a56cee7bef13f7fac7f9 Mon Sep 17 00:00:00 2001 From: slioch Date: Mon, 8 Jun 2009 14:17:45 -0700 Subject: fix for bug 4130. Requires additional configuration outside WLB to support network reachability determination. All locally source routes need an entry in table main that satisfies reachability requirements. This is due to the output mangle table being processed after reachability determination for locally sourced routes. Note that routes will still be subject to routing by WLB (provided they match the WLB rule set). --- src/lbdecision.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'src') diff --git a/src/lbdecision.cc b/src/lbdecision.cc index 7030cf3..56c772d 100644 --- a/src/lbdecision.cc +++ b/src/lbdecision.cc @@ -118,6 +118,8 @@ if so then this stuff goes here! execute(string("iptables -t raw -A NAT_CONNTRACK -j ACCEPT"), stdout); execute(string("iptables -t raw -D PREROUTING 1"), stdout); execute(string("iptables -t raw -I PREROUTING 1 -j NAT_CONNTRACK"), stdout); + execute(string("iptables -t raw -D OUTPUT 1"), stdout); + execute(string("iptables -t raw -I OUTPUT 1 -j NAT_CONNTRACK"), stdout); LBData::InterfaceHealthIter iter = lbdata._iface_health_coll.begin(); @@ -233,6 +235,7 @@ LBDecision::run(LBData &lb_data) //then if we do, flush all execute("iptables -t mangle -F PREROUTING", stdout); + execute("iptables -t mangle -F OUTPUT", stdout); //new request, bug 4112. flush conntrack tables if configured if (lb_data._flush_conntrack == true) { @@ -248,6 +251,7 @@ LBDecision::run(LBData &lb_data) if (iter->second._exclude == true) { execute(string("iptables -t mangle -A PREROUTING ") + app_cmd + " -j ACCEPT", stdout); + execute(string("iptables -t mangle -A OUTPUT ") + app_cmd + " -j ACCEPT", stdout); } else { map weights = get_new_weights(lb_data,iter->second); @@ -263,19 +267,24 @@ LBDecision::run(LBData &lb_data) sprintf(dbuf,"%d",w_iter->first); if (lb_data._enable_source_based_routing) { execute(string("iptables -t mangle -A PREROUTING ") + app_cmd + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); + execute(string("iptables -t mangle -A OUTPUT ") + app_cmd + " -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); } else { execute(string("iptables -t mangle -A PREROUTING ") + app_cmd + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); + execute(string("iptables -t mangle -A OUTPUT ") + app_cmd + " -m state --state NEW -m statistic --mode random --probability " + fbuf + " -j ISP_" + dbuf, stdout); } } sprintf(dbuf,"%d",(--weights.end())->first); if (lb_data._enable_source_based_routing) { execute(string("iptables -t mangle -A PREROUTING ") + app_cmd + " -j ISP_" + dbuf, stdout); + execute(string("iptables -t mangle -A OUTPUT ") + app_cmd + " -j ISP_" + dbuf, stdout); } else { execute(string("iptables -t mangle -A PREROUTING ") + app_cmd + " -m state --state NEW -j ISP_" + dbuf, stdout); + execute(string("iptables -t mangle -A OUTPUT ") + app_cmd + " -m state --state NEW -j ISP_" + dbuf, stdout); } execute(string("iptables -t mangle -A PREROUTING ") + app_cmd + " -j CONNMARK --restore-mark", stdout); + execute(string("iptables -t mangle -A OUTPUT ") + app_cmd + " -j CONNMARK --restore-mark", stdout); } } ++iter; @@ -294,6 +303,7 @@ LBDecision::shutdown(LBData &data) //then if we do, flush all execute("iptables -t mangle -F PREROUTING", stdout); + execute("iptables -t mangle -F OUTPUT", stdout); //clear out nat as well execute("iptables -t nat -F WANLOADBALANCE", stdout); -- cgit v1.2.3