Code Review / icn / sdwan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 78eb9b5)
Update the firewall restart script 11/3711/3
authorYao Le <le.yao@intel.com>
Mon, 21 Sep 2020 03:08:44 +0000 (03:08 +0000)
committerYao Le <le.yao@intel.com>
Mon, 12 Oct 2020 05:50:29 +0000 (05:50 +0000)
Get the service IP and configuration
Config the service iptables NAT rules

Signed-off-by: Yao Le <le.yao@intel.com>
Change-Id: I74bd5236f4e56ea9d20e7eee6d4210e1ab04e0c0

platform/cnf/src/Dockerfile_1806_mwan3.tpl patch | blob | history
platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl patch | blob | history
platform/cnf/src/sdewan.user patch | blob | history
platform/cnf/src/sdewan_svc.info [new file with mode: 0644] patch | blob

diff --git a/platform/cnf/src/Dockerfile_1806_mwan3.tpl b/platform/cnf/src/Dockerfile_1806_mwan3.tpl
index 50bfe50..161038e 100644 (file)
--- a/platform/cnf/src/Dockerfile_1806_mwan3.tpl
+++ b/platform/cnf/src/Dockerfile_1806_mwan3.tpl
@@ -18,6 +18,7 @@ COPY system /etc/config/system
 COPY ipsec /etc/config/ipsec
 COPY ipsec_exec /etc/init.d/ipsec
 COPY sdewan.user /etc/sdewan.user
+COPY sdewan_svc.info /etc/sdewan_svc.info
 COPY default_firewall /etc/config/firewall
 COPY rest_v1 /usr/lib/lua/luci/controller/rest_v1
 
diff --git a/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl b/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl
index c1ef291..c89bb4c 100644 (file)
--- a/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl
+++ b/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl
@@ -15,6 +15,7 @@ COPY system /etc/config/system
 COPY ipsec /etc/config/ipsec
 COPY ipsec_exec /etc/init.d/ipsec
 COPY sdewan.user /etc/sdewan.user
+COPY sdewan_svc.info /etc/sdewan_svc.info
 COPY default_firewall /etc/config/firewall
 COPY rest_v1 /usr/lib/lua/luci/controller/rest_v1
 
diff --git a/platform/cnf/src/sdewan.user b/platform/cnf/src/sdewan.user
index 5d000a5..f6b152e 100644 (file)
--- a/platform/cnf/src/sdewan.user
+++ b/platform/cnf/src/sdewan.user
@@ -1,25 +1,47 @@
 set -o pipefail
 
-api_server=$(nslookup kubernetes.default.svc.cluster.local | tail -n2 | awk -F':' '{print $2}' | head -1)
-istio_ingress=$(nslookup istio-ingressgateway.istio-system.svc.cluster.local |  tail -n2 | awk -F':' '{print $2}' | head -1)
-
-SNAT_RULE='POSTROUTING -o eth0 -j MASQUERADE'
-
-iptables -t nat -C $SNAT_RULE || if_exist=$?
-
-if [ $if_exist -ne 0 ];
-then
-   echo "Insert Default rules"
-else
-   iptables -t nat -D $SNAT_RULE
-   iptables -t nat -D PREROUTING -p tcp --dport 6443 -j DNAT --to-destination $api_server
-   iptables -t nat -D PREROUTING -i net1 -j DNAT --to-destination $istio_ingress
-fi
-
-iptables -t nat -A $SNAT_RULE
-iptables -t nat -A PREROUTING -p tcp --dport 6443 -j DNAT --to-destination $api_server
-if [[ $istio_ingress != "NXDOMAIN" ]];
-then
-  iptables -t nat -A PREROUTING -i net1 -j DNAT --to-destination $istio_ingress
-fi
+count=1
+while read line
+do
+    name=$(echo $line | awk '{print $1}')
+    fullname=$(echo $line | awk '{print $2}')
+    port=$(echo $line | awk '{print $3}')
+    dport=$(echo $line | awk '{print $4}')
+    old_ip=$(echo $line | awk '{print $5}')
+    rule=$(echo $line | awk '{print $6}')
+    new_ip=$(nslookup $fullname | tail -n2 | awk -F':' '{print $2}' | head -1 | sed -e 's/^[ \t]*//g')
+    target=$(iptables -t nat -L PREROUTING | grep "dpt:${port}")
+    if [ $old_ip == "0.0.0.0" ];
+    then
+        if [ $rule == 0 ];
+        then
+            iptables -t nat -I PREROUTING -p tcp --dport $port -j DNAT --to-destination $new_ip":"$dport
+        elif [ $rule == 1 ];
+        then
+            iptables -t nat -A PREROUTING -i net1 -j DNAT --to-destination $new_ip
+        fi
+    elif [ $old_ip != $new_ip ];
+    then
+        if [ $rule == 0 ];
+        then
+            iptables -t nat -D PREROUTING -p tcp --dport $port -j DNAT --to-destination $old_ip":"$dport
+            iptables -t nat -I PREROUTING -p tcp --dport $port -j DNAT --to-destination $new_ip":"$dport
+        elif [ $rule == 1 ];
+        then
+            iptables -t nat -D PREROUTING -i net1 -j DNAT --to-destination $old_ip
+            iptables -t nat -A PREROUTING -i net1 -j DNAT --to-destination $new_ip
+        fi
+    elif [ ! $target]
+    then
+        if [ $rule == 0 ];
+        then
+            iptables -t nat -I PREROUTING -p tcp --dport $port -j DNAT --to-destination $new_ip":"$dport
+        elif [ $rule == 1 ];
+        then
+            iptables -t nat -A PREROUTING -i net1 -j DNAT --to-destination $new_ip
+        fi
+    fi
+    sed -i "${count}c ${name} ${fullname} ${port} ${dport} ${new_ip} ${rule}" /etc/sdewan_svc.info
+    count=$(($count+1))
+done < /etc/sdewan_svc.info
 
diff --git a/platform/cnf/src/sdewan_svc.info b/platform/cnf/src/sdewan_svc.info
new file mode 100644 (file)
index 0000000..8b3c8b3
--- /dev/null
+++ b/platform/cnf/src/sdewan_svc.info
@@ -0,0 +1,2 @@
+kubernetes kubernetes.default.svc.cluster.local 6443 6443 0.0.0.0 0
+istio istio-ingressgateway.istio-system.svc.cluster.local 0 0 0.0.0.0 1