From 5b7c794066f1451807653f6f3510f09e018050e6 Mon Sep 17 00:00:00 2001 From: Yao Le Date: Mon, 21 Sep 2020 03:08:44 +0000 Subject: [PATCH] Update the firewall restart script Get the service IP and configuration Config the service iptables NAT rules Signed-off-by: Yao Le Change-Id: I74bd5236f4e56ea9d20e7eee6d4210e1ab04e0c0 --- platform/cnf/src/Dockerfile_1806_mwan3.tpl | 1 + platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl | 1 + platform/cnf/src/sdewan.user | 66 ++++++++++++++-------- platform/cnf/src/sdewan_svc.info | 2 + 4 files changed, 48 insertions(+), 22 deletions(-) create mode 100644 platform/cnf/src/sdewan_svc.info diff --git a/platform/cnf/src/Dockerfile_1806_mwan3.tpl b/platform/cnf/src/Dockerfile_1806_mwan3.tpl index 50bfe50..161038e 100644 --- a/platform/cnf/src/Dockerfile_1806_mwan3.tpl +++ b/platform/cnf/src/Dockerfile_1806_mwan3.tpl @@ -18,6 +18,7 @@ COPY system /etc/config/system COPY ipsec /etc/config/ipsec COPY ipsec_exec /etc/init.d/ipsec COPY sdewan.user /etc/sdewan.user +COPY sdewan_svc.info /etc/sdewan_svc.info COPY default_firewall /etc/config/firewall COPY rest_v1 /usr/lib/lua/luci/controller/rest_v1 diff --git a/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl b/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl index c1ef291..c89bb4c 100644 --- a/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl +++ b/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl @@ -15,6 +15,7 @@ COPY system /etc/config/system COPY ipsec /etc/config/ipsec COPY ipsec_exec /etc/init.d/ipsec COPY sdewan.user /etc/sdewan.user +COPY sdewan_svc.info /etc/sdewan_svc.info COPY default_firewall /etc/config/firewall COPY rest_v1 /usr/lib/lua/luci/controller/rest_v1 diff --git a/platform/cnf/src/sdewan.user b/platform/cnf/src/sdewan.user index 5d000a5..f6b152e 100644 --- a/platform/cnf/src/sdewan.user +++ b/platform/cnf/src/sdewan.user @@ -1,25 +1,47 @@ set -o pipefail -api_server=$(nslookup kubernetes.default.svc.cluster.local | tail -n2 | awk -F':' '{print $2}' | head -1) -istio_ingress=$(nslookup istio-ingressgateway.istio-system.svc.cluster.local | tail -n2 | awk -F':' '{print $2}' | head -1) - -SNAT_RULE='POSTROUTING -o eth0 -j MASQUERADE' - -iptables -t nat -C $SNAT_RULE || if_exist=$? - -if [ $if_exist -ne 0 ]; -then - echo "Insert Default rules" -else - iptables -t nat -D $SNAT_RULE - iptables -t nat -D PREROUTING -p tcp --dport 6443 -j DNAT --to-destination $api_server - iptables -t nat -D PREROUTING -i net1 -j DNAT --to-destination $istio_ingress -fi - -iptables -t nat -A $SNAT_RULE -iptables -t nat -A PREROUTING -p tcp --dport 6443 -j DNAT --to-destination $api_server -if [[ $istio_ingress != "NXDOMAIN" ]]; -then - iptables -t nat -A PREROUTING -i net1 -j DNAT --to-destination $istio_ingress -fi +count=1 +while read line +do + name=$(echo $line | awk '{print $1}') + fullname=$(echo $line | awk '{print $2}') + port=$(echo $line | awk '{print $3}') + dport=$(echo $line | awk '{print $4}') + old_ip=$(echo $line | awk '{print $5}') + rule=$(echo $line | awk '{print $6}') + new_ip=$(nslookup $fullname | tail -n2 | awk -F':' '{print $2}' | head -1 | sed -e 's/^[ \t]*//g') + target=$(iptables -t nat -L PREROUTING | grep "dpt:${port}") + if [ $old_ip == "0.0.0.0" ]; + then + if [ $rule == 0 ]; + then + iptables -t nat -I PREROUTING -p tcp --dport $port -j DNAT --to-destination $new_ip":"$dport + elif [ $rule == 1 ]; + then + iptables -t nat -A PREROUTING -i net1 -j DNAT --to-destination $new_ip + fi + elif [ $old_ip != $new_ip ]; + then + if [ $rule == 0 ]; + then + iptables -t nat -D PREROUTING -p tcp --dport $port -j DNAT --to-destination $old_ip":"$dport + iptables -t nat -I PREROUTING -p tcp --dport $port -j DNAT --to-destination $new_ip":"$dport + elif [ $rule == 1 ]; + then + iptables -t nat -D PREROUTING -i net1 -j DNAT --to-destination $old_ip + iptables -t nat -A PREROUTING -i net1 -j DNAT --to-destination $new_ip + fi + elif [ ! $target] + then + if [ $rule == 0 ]; + then + iptables -t nat -I PREROUTING -p tcp --dport $port -j DNAT --to-destination $new_ip":"$dport + elif [ $rule == 1 ]; + then + iptables -t nat -A PREROUTING -i net1 -j DNAT --to-destination $new_ip + fi + fi + sed -i "${count}c ${name} ${fullname} ${port} ${dport} ${new_ip} ${rule}" /etc/sdewan_svc.info + count=$(($count+1)) +done < /etc/sdewan_svc.info diff --git a/platform/cnf/src/sdewan_svc.info b/platform/cnf/src/sdewan_svc.info new file mode 100644 index 0000000..8b3c8b3 --- /dev/null +++ b/platform/cnf/src/sdewan_svc.info @@ -0,0 +1,2 @@ +kubernetes kubernetes.default.svc.cluster.local 6443 6443 0.0.0.0 0 +istio istio-ingressgateway.istio-system.svc.cluster.local 0 0 0.0.0.0 1 -- 2.16.6