case "$1" in
ipreallocated)
- # block the iscsi port
- iptables -I INPUT 1 -p tcp --dport 3260 -j DROP
-
+ all_ips=$(ctdb -X ip | tail -n +2)
+
+ # Block the iSCSI port. Only block for the address families
+ # we have configured. This copes with, for example, ip6tables
+ # being unavailable on an IPv4-only system.
+ have_ipv4=false
+ have_ipv6=false
+ while IFS='|' read x ip pnn x ; do
+ case "$ip" in
+ *:*) have_ipv6=true ;;
+ *) have_ipv4=true ;;
+ esac
+ done <<EOF
+$all_ips
+EOF
+ if $have_ipv4 ; then
+ iptables -I INPUT 1 -p tcp --dport 3260 -j DROP
+ fi
+ if $have_ipv6 ; then
+ ip6tables -I INPUT 1 -p tcp --dport 3260 -j DROP
+ fi
+
# shut down the iscsi service
killall -9 tgtd >/dev/null 2>/dev/null
# start the iscsi daemon
tgtd >/dev/null 2>/dev/null
- ips=$(ctdb -X ip | awk -F'|' -v pnn=$this_node '$3 == pnn {print $2}')
+ # Run a script for each currently hosted public IP address
+ ips=$(echo "$all_ips" | awk -F'|' -v pnn=$this_node '$3 == pnn {print $2}')
for ip in $ips ; do
script="${CTDB_START_ISCSI_SCRIPTS}/${ip}.sh"
if [ -x "$script" ] ; then
fi
done
- # remove all iptables rules
+ # Unblock iSCSI port. These can be unconditional (compared to
+ # blocking above), since errors are redirected.
while iptables -D INPUT -p tcp --dport 3260 -j DROP >/dev/null 2>&1 ; do
:
done
+ while ip6tables -D INPUT -p tcp --dport 3260 -j DROP >/dev/null 2>&1 ; do
+ :
+ done
;;