TSG-8393, NATGW iptables 转发策略设置不合理, 导致Layer2和VPN模式不能共用, 已修复.

4 files changed, 45 insertions, 7 deletions

diff --git a/deploy_env/group_vars/all.yml b/deploy_env/group_vars/all.yml
index 0d31f5f..c1a65cb 100644
--- a/deploy_env/group_vars/all.yml
+++ b/deploy_env/group_vars/all.yml
@@ -22,7 +22,7 @@ wannat_global:
         location_compare_type: 0
         country_location:  "Set_your_geographic_location_here"
         province_location: "Set_your_geographic_location_here"
-        ctrl_device_ip_addr: "172.26.121.58"
+        ctrl_device_name: "eth0"
 
     toroad:
         http_server_listen_port: 8888
diff --git a/roles/natgw/files/script/natgw_set_iptables_rule.sh b/roles/natgw/files/script/natgw_set_iptables_rule.sh
new file mode 100644
index 0000000..5875436
--- /dev/null
+++ b/roles/natgw/files/script/natgw_set_iptables_rule.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+if [ ! $1 ]; then  
+	echo "must set device name!"
+	echo "Usage: $0 <devie_name>"
+	exit 1
+fi
+
+IP_ADDR_WITH_MASK=`ip addr show | grep $1 | grep inet | awk {'print $2'}`
+
+if [ ! $IP_ADDR_WITH_MASK ]; then  
+	echo "get IP_ADDR_WITH_MASK error!"
+	exit 1
+fi
+
+#echo "IP_ADDR_WITH_MASK = $IP_ADDR_WITH_MASK"
+
+IP_ADDR=`ip addr show | grep $1 | grep inet | awk {'print $2'} | awk -F '/' {'print $1'}`
+if [ ! $IP_ADDR ]; then  
+	echo "get IP_ADDR error!"
+	exit 1
+fi
+
+#echo "IP_ADDR = $IP_ADDR"
+
+#set iptables
+iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -s $IP_ADDR -j DROP
+iptables -I OUTPUT -p icmp --icmp-type redirect -s $IP_ADDR -j DROP
+iptables -I FORWARD -s $IP_ADDR_WITH_MASK  -j DROP
+
+exit 0
+
+
diff --git a/roles/natgw/tasks/main.yml b/roles/natgw/tasks/main.yml
index 8fbb09a..d12431e 100644
--- a/roles/natgw/tasks/main.yml
+++ b/roles/natgw/tasks/main.yml
@@ -3,6 +3,7 @@
   copy:
     src: "{{ role_path }}/files/rpm/{{ wannat_global.rpm_files.natgw_rpm_file }}"
     dest: "/tmp/"
+
     
 - name: "install natgw"
   yum:
@@ -21,7 +22,13 @@
   file:
     path: /opt/tsg/wannat/natgw/conf
     state: directory
-    
+
+- name: "copy natgw_set_iptables_rule.sh to destination server"
+  copy:
+    src: "{{ role_path }}/files/script/natgw_set_iptables_rule.sh"
+    dest: "/opt/tsg/wannat/natgw/"
+    mode: a+x
+
 - name: "Template the natgw.conf"
   template:
     src: "{{ role_path }}/templates/natgw.conf.j2"
@@ -33,7 +40,7 @@
     src: "{{ role_path }}/templates/natgw_log.conf.j2"
     dest: /opt/tsg/wannat/natgw/conf/natgw_log.conf
   tags: template
- 
+
 - name: "Template the maat compile table info"
   template:
     src: "{{ role_path }}/templates/compile_tableinfo.conf.j2"
@@ -60,4 +67,4 @@
     state: started
   
     
-  
\ No newline at end of file
+  
diff --git a/roles/natgw/templates/natgw.service.j2 b/roles/natgw/templates/natgw.service.j2
index 0217bd8..b131a11 100644
--- a/roles/natgw/templates/natgw.service.j2
+++ b/roles/natgw/templates/natgw.service.j2
@@ -21,9 +21,7 @@ ExecStartPost=/bin/sh -c "ethtool -K {{wannat_global.natgw.device}} tso off"
 ExecStartPost=/bin/sh -c "ip rule add from {{wannat_global.common.vpn_client_ip_cidr}} table 1001"
 ExecStartPost=/bin/sh -c "ip route add default via 100.64.1.253 table 1001"
 
-ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP"
-ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type redirect -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP"
-ExecStartPost=/bin/sh -c "iptables -I FORWARD ! -d {{wannat_global.natgw.ctrl_device_ip_addr}}  -j DROP"
+ExecStartPost=/bin/sh -c "/opt/tsg/wannat/natgw/natgw_set_iptables_rule.sh {{wannat_global.natgw.ctrl_device_name}}"
 
 TimeoutSec=300s
 RestartSec=10s