From: Martin Schwenke Date: Fri, 13 May 2016 09:43:05 +0000 (+1000) Subject: ctdb-scripts: New functions ip_block() and ip_unblock() X-Git-Tag: tdb-1.3.10~1061 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b4878cfc4deba1da5f205bf8f7c5bee05ee380ba;p=thirdparty%2Fsamba.git ctdb-scripts: New functions ip_block() and ip_unblock() Block and unblock IP addresses using these new functions. This makes the code more readable. The case statement in each function is very cheap, so there is no need to prematurely optimise and pass the family. Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs --- diff --git a/ctdb/config/events.d/10.interface b/ctdb/config/events.d/10.interface index f65dd5ea739..fc9097b84e6 100755 --- a/ctdb/config/events.d/10.interface +++ b/ctdb/config/events.d/10.interface @@ -102,6 +102,37 @@ get_iface_ip_maskbits_family () fi } +ip_block () +{ + _ip="$1" + _iface="$2" + + case "$_ip" in + *:*) _family="inet6" ;; + *) _family="inet" ;; + esac + + # Extra delete copes with previously killed script + iptables_wrapper "$_family" \ + -D INPUT -i "$_iface" -d "$_ip" -j DROP 2>/dev/null + iptables_wrapper "$_family" \ + -I INPUT -i "$_iface" -d "$_ip" -j DROP +} + +ip_unblock () +{ + _ip="$1" + _iface="$2" + + case "$_ip" in + *:*) _family="inet6" ;; + *) _family="inet" ;; + esac + + iptables_wrapper "$_family" \ + -D INPUT -i "$_iface" -d "$_ip" -j DROP 2>/dev/null +} + ctdb_check_args "$@" case "$1" in @@ -134,12 +165,8 @@ case "$1" in exit 1; } - # cope with the script being killed while we have the interface blocked - case "$ip" in - *:*) family="inet6" ;; - *) family="inet" ;; - esac - iptables_wrapper $family -D INPUT -i $iface -d $ip -j DROP 2> /dev/null + # In case a previous "releaseip" for this IP was killed... + ip_unblock "$ip" "$iface" flush_route_cache ;; @@ -149,27 +176,25 @@ case "$1" in # is released, any open tcp connections to that IP on this host will end # up being stuck. Some of them (such as NFS connections) will be unkillable # so we need to use the killtcp ctdb function to kill them off. We also - # need to make sure that no new connections get established while we are + # need to make sure that no new connections get established while we are # doing this! So what we do is this: # 1) firewall this IP, so no new external packets arrive for it - # 2) use netstat -tn to find existing connections, and kill them + # 2) find existing connections, and kill them # 3) remove the IP from the interface # 4) remove the firewall rule shift get_iface_ip_maskbits_family "$@" - # we do an extra delete to cope with the script being killed - iptables_wrapper $family -D INPUT -i $iface -d $ip -j DROP 2> /dev/null - iptables_wrapper $family -I INPUT -i $iface -d $ip -j DROP + ip_block "$ip" "$iface" + kill_tcp_connections "$iface" "$ip" delete_ip_from_iface $iface $ip $maskbits || { - iptables_wrapper $family \ - -D INPUT -i $iface -d $ip -j DROP 2> /dev/null + ip_unblock "$ip" "$iface" exit 1 } - iptables_wrapper $family -D INPUT -i $iface -d $ip -j DROP 2> /dev/null + ip_unblock "$ip" "$iface" flush_route_cache ;; @@ -194,21 +219,17 @@ case "$1" in get_iface_ip_maskbits_family "$_oiface" "$_ip" "$_maskbits" oiface="$iface" - # we do an extra delete to cope with the script being killed - iptables_wrapper $family -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null - iptables_wrapper $family -I INPUT -i $oiface -d $ip -j DROP + ip_block "$ip" "$oiface" delete_ip_from_iface $oiface $ip $maskbits 2>/dev/null delete_ip_from_iface $niface $ip $maskbits 2>/dev/null add_ip_to_iface $niface $ip $maskbits || { - iptables_wrapper $family \ - -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null - exit 1 + ip_unblock "$ip" "$oiface" + exit 1 } - # cope with the script being killed while we have the interface blocked - iptables_wrapper $family -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null + ip_unblock "$ip" "$oiface" flush_route_cache