From: Martin Schwenke <mschwenke@ddn.com>
Date: Mon, 23 Oct 2023 03:17:36 +0000 (+1100)
Subject: ctdb-scripts: Track connections for all ports for public IPs
X-Git-Tag: samba-4.20.7~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1531eb538830fbb005f5e4794eadd506d4af0077;p=thirdparty%2Fsamba.git

ctdb-scripts: Track connections for all ports for public IPs

Currently TCP ports like NFS lock manager are not tracked.  It is
easier to track all connections than to add a configuration system to
try to track specified ports, so do that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit 590a86dbe4adf45ac8d15497934e25ea98148034)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Nov 25 13:58:45 UTC 2024 on atb-devel-224
---

diff --git a/ctdb/config/events/legacy/10.interface.script b/ctdb/config/events/legacy/10.interface.script
index d7d830bf133..4bee4fa29ec 100755
--- a/ctdb/config/events/legacy/10.interface.script
+++ b/ctdb/config/events/legacy/10.interface.script
@@ -266,7 +266,7 @@ ipreallocated)
 monitor)
 	monitor_interfaces || exit 1
 
-	update_tickles 2049
+	update_tickles
 	;;
 esac
 
diff --git a/ctdb/config/functions b/ctdb/config/functions
index 7d371e81505..75f55f58e2a 100755
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@@ -1149,8 +1149,6 @@ nfs_callout()
 
 update_tickles()
 {
-	_port="$1"
-
 	tickledir="${CTDB_SCRIPT_VARDIR}/tickles"
 	mkdir -p "$tickledir"
 
@@ -1159,17 +1157,16 @@ update_tickles()
 		return
 	fi
 
-	# IPs and port as ss filters
+	# IPs ss filter
 	_ip_filter=""
 	while read -r _ip; do
 		_ip_filter="${_ip_filter}${_ip_filter:+ || }src [${_ip}]"
 	done <"$CTDB_MY_PUBLIC_IPS_CACHE"
-	_port_filter="sport == :${_port}"
 
 	# Record our current tickles in a temporary file
-	_my_tickles="${tickledir}/${_port}.tickles.$$"
+	_my_tickles="${tickledir}/all.tickles.$$"
 	while read -r _i; do
-		$CTDB -X gettickles "$_i" "$_port" |
+		$CTDB -X gettickles "$_i" |
 			awk -F'|' 'NR > 1 { printf "%s:%s %s:%s\n", $2, $3, $4, $5 }'
 	done <"$CTDB_MY_PUBLIC_IPS_CACHE" |
 		sort >"$_my_tickles"
@@ -1178,12 +1175,10 @@ update_tickles()
 	# This temporary file is in CTDB's private state directory and
 	# $$ is used to avoid a very rare race involving CTDB's script
 	# debugging.  No security issue, nothing to see here...
-	_my_connections="${tickledir}/${_port}.connections.$$"
-	# Parentheses are needed around the filters for precedence but
+	_my_connections="${tickledir}/all.connections.$$"
+	# Parentheses are needed around the IP filter for precedence but
 	# the parentheses can't be empty!
-	ss -tnH state established \
-		"${_ip_filter:+( ${_ip_filter} )}" \
-		"${_port_filter:+( ${_port_filter} )}" |
+	ss -tnH state established "${_ip_filter:+( ${_ip_filter} )}" |
 		awk '{print $4, $3}' |
 		sort >"$_my_connections"