From 3e1602c850c478fdb69932db8447a22141ed27cd Mon Sep 17 00:00:00 2001 From: Le Yao Date: Wed, 18 Nov 2020 06:28:22 +0000 Subject: [PATCH] Add api-server SNAT rule and enable forward Add the SNAT rule for api-server Enable net.ipv4.ip_forward in CNF Signed-off-by: Le Yao Change-Id: If31a6d8070d922a1f3e70bb94f85f349b3682379 --- platform/cnf/src/10-default.conf | 25 ++++++++++++++++++++++ platform/cnf/src/Dockerfile_1806_mwan3.tpl | 1 + platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl | 1 + platform/cnf/src/sdewan.user | 12 +++++++++++ 4 files changed, 39 insertions(+) create mode 100644 platform/cnf/src/10-default.conf diff --git a/platform/cnf/src/10-default.conf b/platform/cnf/src/10-default.conf new file mode 100644 index 0000000..46d079b --- /dev/null +++ b/platform/cnf/src/10-default.conf @@ -0,0 +1,25 @@ +# Do not edit, changes to this file will be lost on upgrades +# /etc/sysctl.conf can be used to customize sysctl settings + +kernel.panic=3 +kernel.core_pattern=/tmp/%e.%t.%p.%s.core +fs.suid_dumpable=2 + +fs.protected_hardlinks=1 +fs.protected_symlinks=1 + +net.ipv4.conf.default.arp_ignore=1 +net.ipv4.conf.all.arp_ignore=1 +net.ipv4.ip_forward=1 +net.ipv4.icmp_echo_ignore_broadcasts=1 +net.ipv4.icmp_ignore_bogus_error_responses=1 +net.ipv4.igmp_max_memberships=100 +net.ipv4.tcp_fin_timeout=30 +net.ipv4.tcp_keepalive_time=120 +net.ipv4.tcp_syncookies=1 +net.ipv4.tcp_timestamps=1 +net.ipv4.tcp_sack=1 +net.ipv4.tcp_dsack=1 + +net.ipv6.conf.default.forwarding=1 +net.ipv6.conf.all.forwarding=1 diff --git a/platform/cnf/src/Dockerfile_1806_mwan3.tpl b/platform/cnf/src/Dockerfile_1806_mwan3.tpl index 161038e..12142f7 100644 --- a/platform/cnf/src/Dockerfile_1806_mwan3.tpl +++ b/platform/cnf/src/Dockerfile_1806_mwan3.tpl @@ -21,6 +21,7 @@ COPY sdewan.user /etc/sdewan.user COPY sdewan_svc.info /etc/sdewan_svc.info COPY default_firewall /etc/config/firewall COPY rest_v1 /usr/lib/lua/luci/controller/rest_v1 +COPY 10-default.conf /etc/sysctl.d/10-default.conf ENV http_proxy= ENV https_proxy= diff --git a/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl b/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl index c89bb4c..692fc3c 100644 --- a/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl +++ b/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl @@ -18,6 +18,7 @@ COPY sdewan.user /etc/sdewan.user COPY sdewan_svc.info /etc/sdewan_svc.info COPY default_firewall /etc/config/firewall COPY rest_v1 /usr/lib/lua/luci/controller/rest_v1 +COPY 10-default.conf /etc/sysctl.d/10-default.conf USER root diff --git a/platform/cnf/src/sdewan.user b/platform/cnf/src/sdewan.user index f6b152e..a933c74 100644 --- a/platform/cnf/src/sdewan.user +++ b/platform/cnf/src/sdewan.user @@ -45,3 +45,15 @@ do count=$(($count+1)) done < /etc/sdewan_svc.info +SNAT_RULE='POSTROUTING -o eth0 -j MASQUERADE' + +iptables -t nat -C $SNAT_RULE || if_exist=$? + +if [ $if_exist -ne 0 ]; +then + echo "Insert Default rules" +else + iptables -t nat -D $SNAT_RULE +fi + +iptables -t nat -A $SNAT_RULE -- 2.16.6