fi
}
+ip_block ()
+{
+ _ip="$1"
+ _iface="$2"
+
+ case "$_ip" in
+ *:*) _family="inet6" ;;
+ *) _family="inet" ;;
+ esac
+
+ # Extra delete copes with previously killed script
+ iptables_wrapper "$_family" \
+ -D INPUT -i "$_iface" -d "$_ip" -j DROP 2>/dev/null
+ iptables_wrapper "$_family" \
+ -I INPUT -i "$_iface" -d "$_ip" -j DROP
+}
+
+ip_unblock ()
+{
+ _ip="$1"
+ _iface="$2"
+
+ case "$_ip" in
+ *:*) _family="inet6" ;;
+ *) _family="inet" ;;
+ esac
+
+ iptables_wrapper "$_family" \
+ -D INPUT -i "$_iface" -d "$_ip" -j DROP 2>/dev/null
+}
+
ctdb_check_args "$@"
case "$1" in
exit 1;
}
- # cope with the script being killed while we have the interface blocked
- case "$ip" in
- *:*) family="inet6" ;;
- *) family="inet" ;;
- esac
- iptables_wrapper $family -D INPUT -i $iface -d $ip -j DROP 2> /dev/null
+ # In case a previous "releaseip" for this IP was killed...
+ ip_unblock "$ip" "$iface"
flush_route_cache
;;
# is released, any open tcp connections to that IP on this host will end
# up being stuck. Some of them (such as NFS connections) will be unkillable
# so we need to use the killtcp ctdb function to kill them off. We also
- # need to make sure that no new connections get established while we are
+ # need to make sure that no new connections get established while we are
# doing this! So what we do is this:
# 1) firewall this IP, so no new external packets arrive for it
- # 2) use netstat -tn to find existing connections, and kill them
+ # 2) find existing connections, and kill them
# 3) remove the IP from the interface
# 4) remove the firewall rule
shift
get_iface_ip_maskbits_family "$@"
- # we do an extra delete to cope with the script being killed
- iptables_wrapper $family -D INPUT -i $iface -d $ip -j DROP 2> /dev/null
- iptables_wrapper $family -I INPUT -i $iface -d $ip -j DROP
+ ip_block "$ip" "$iface"
+
kill_tcp_connections "$iface" "$ip"
delete_ip_from_iface $iface $ip $maskbits || {
- iptables_wrapper $family \
- -D INPUT -i $iface -d $ip -j DROP 2> /dev/null
+ ip_unblock "$ip" "$iface"
exit 1
}
- iptables_wrapper $family -D INPUT -i $iface -d $ip -j DROP 2> /dev/null
+ ip_unblock "$ip" "$iface"
flush_route_cache
;;
get_iface_ip_maskbits_family "$_oiface" "$_ip" "$_maskbits"
oiface="$iface"
- # we do an extra delete to cope with the script being killed
- iptables_wrapper $family -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null
- iptables_wrapper $family -I INPUT -i $oiface -d $ip -j DROP
+ ip_block "$ip" "$oiface"
delete_ip_from_iface $oiface $ip $maskbits 2>/dev/null
delete_ip_from_iface $niface $ip $maskbits 2>/dev/null
add_ip_to_iface $niface $ip $maskbits || {
- iptables_wrapper $family \
- -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null
- exit 1
+ ip_unblock "$ip" "$oiface"
+ exit 1
}
- # cope with the script being killed while we have the interface blocked
- iptables_wrapper $family -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null
+ ip_unblock "$ip" "$oiface"
flush_route_cache