/* add/remove iptable drop rule to VIP */ static void handle_iptable_rule_to_vip(ip_address_t *ipaddress, int cmd, char *ifname, void *unused) { char *argv[10]; unsigned int i = 0; int if_specifier = -1; char *addr_str; if (global_data->vrrp_iptables_inchain[0] == '\0') return; if (IP_IS6(ipaddress)) { handle_iptable_rule_to_NA(ipaddress, cmd, ifname); argv[i++] = "ip6tables"; } else { argv[i++] = "iptables"; } addr_str = ipaddresstos(NULL, ipaddress); argv[i++] = cmd ? "-A" : "-D"; argv[i++] = global_data->vrrp_iptables_inchain; argv[i++] = "-d"; argv[i++] = addr_str; if (IP_IS6(ipaddress) && IN6_IS_ADDR_LINKLOCAL(&ipaddress->u.sin6_addr)) { if_specifier = i; argv[i++] = "-i"; argv[i++] = ifname; } argv[i++] = "-j"; argv[i++] = "DROP"; argv[i] = NULL; if (fork_exec(argv) < 0) log_message(LOG_ERR, "Failed to %s iptable drop rule" " to vip %s", (cmd) ? "set" : "remove", addr_str); else ipaddress->iptable_rule_set = (cmd != IPADDRESS_DEL); if (global_data->vrrp_iptables_outchain[0] == '\0') return; argv[2] = global_data->vrrp_iptables_outchain ; argv[3] = "-s"; if (if_specifier >= 0) argv[if_specifier] = "-o"; if (fork_exec(argv) < 0) log_message(LOG_ERR, "Failed to %s iptable drop rule" " from vip %s", (cmd) ? "set" : "remove", addr_str); }
void handle_iptable_rule_to_vip(ip_address_t *ipaddress, int cmd, char *ifname, struct ipt_handle *h) { char *my_ifname = NULL; if (!use_iptables) return; if (global_data->vrrp_iptables_inchain[0] == '\0') return; #ifdef _HAVE_LIBIPSET_ if (global_data->using_ipsets) { if (!h->session) h->session = ipset_session_start(); ipset_entry(h->session, cmd, ipaddress, ifname); ipaddress->iptable_rule_set = (cmd != IPADDRESS_DEL); return; } #endif if (IP_IS6(ipaddress)) { if (IN6_IS_ADDR_LINKLOCAL(&ipaddress->u.sin6_addr)) my_ifname = ifname; handle_iptable_rule_to_NA(ipaddress, cmd, my_ifname, h); } iptables_entry(h, global_data->vrrp_iptables_inchain, -1, XTC_LABEL_DROP, NULL, ipaddress, my_ifname, NULL, IPPROTO_NONE, 0, cmd); ipaddress->iptable_rule_set = (cmd != IPADDRESS_DEL); if (global_data->vrrp_iptables_outchain[0] == '\0') return; iptables_entry(h, global_data->vrrp_iptables_outchain, -1, XTC_LABEL_DROP, ipaddress, NULL, NULL, my_ifname, IPPROTO_NONE, 0, cmd); }