Signed-off-by: Balazs Lecz <[email protected]>
---
scripts/common.sh.in | 1 +
scripts/iptables_setup.in | 7 +++++++
2 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/scripts/common.sh.in b/scripts/common.sh.in
index 6728976..c202c4e 100644
--- a/scripts/common.sh.in
+++ b/scripts/common.sh.in
@@ -46,6 +46,7 @@ ENDPOINT_CONF_FILE=$1
: ${GRE_BASE_NETDEV:="eth0"}
: ${ENDPOINT_NETDEV:="eth0"}
: ${ROUTING_TABLE:="100"}
+: ${NFLOG_QUEUE:="0"}
# DIRECTROUTES and NBMAROUTES work even if unset
[[ -n "$INSTANCE_NETWORK" ]] || fail "Missing INSTANCE_NETWORK in config file"
diff --git a/scripts/iptables_setup.in b/scripts/iptables_setup.in
index bed9e9c..c3076fa 100644
--- a/scripts/iptables_setup.in
+++ b/scripts/iptables_setup.in
@@ -40,3 +40,10 @@ if [[ -n "$INSTANCE_NETWORK" ]]; then
iptables -t raw -A PREROUTING -s $INSTANCE_NETWORK -j NOTRACK
iptables -t raw -A PREROUTING -d $INSTANCE_NETWORK -j NOTRACK
fi
+
+# Send 'misrouted' packets to NFLOG. These are picked up by ganeti-nld.
+iptables -L FORWARD -v | grep -q "inout_$GRE_INTERFACE" || \
+ iptables -A FORWARD -i $GRE_INTERFACE -o $GRE_INTERFACE \
+ -m hashlimit --hashlimit 1/second --hashlimit-burst 1 \
+ --hashlimit-mode dstip,srcip --hashlimit-name "inout_$GRE_INTERFACE" \
+ -j NFLOG --nflog-group $NFLOG_QUEUE --nflog-prefix "inout_$GRE_INTERFACE"
--
1.6.6.2
