--- schema: pegleg/Script/v1 metadata: schema: metadata/Document/v1 name: configure-ip-rules storagePolicy: cleartext layeringDefinition: abstract: false layer: global data: |- #!/bin/bash set -ex function usage() { cat <&2 exit 1 ;; :) echo "Missing argument for option: -${OPTARG}" >&2 exit 1 ;; *) echo "Unimplemented option: -${OPTARG}" >&2 exit 1 ;; esac done shift $((OPTIND-1)) if [ "x$POD_CIDR" == "x" ]; then echo "Missing pod CIDR, e.g -c 10.97.0.0/16" >&2 usage exit 1 fi if [ "x$INTERFACE" != "x" ]; then while ! ip route list dev "${INTERFACE}" > /dev/null; do echo Waiting for device "${INTERFACE}" to be ready. >&2 sleep 5 done fi intra_vrrp_ip= if [ "x${SERVICE_GW}" == "x" ]; then intra_vrrp_ip=$(ip route list dev "${INTERFACE}" | awk '($2~/via/){print $3}' | head -n 1) else intra_vrrp_ip=${SERVICE_GW} fi TABLE="1500" if [ "x${intra_vrrp_ip}" == "x" ]; then echo "Either INTERFACE or SERVICE_GW is required: e.g. either -i bond0.22 or -g 10.23.22.1" usage exit 1 fi # Setup a routing table for traffic from service IPs ip route flush table "${TABLE}" ip route add default via "${intra_vrrp_ip}" table "${TABLE}" # Setup arp_announce adjustment on interface facing gateway arp_intf=$(ip route get ${intra_vrrp_ip} | grep dev | awk '{print $3}') echo 2 > /proc/sys/net/ipv4/conf/${arp_intf}/arp_announce if [ "x$OVERLAP_CIDR" != "x" ]; then # NOTE: This is a work-around for nodes not receiving complete # routes via BGP. ip route add "${OVERLAP_CIDR}" via "${intra_vrrp_ip}" fi if [ "x$SERVICE_CIDR" != "x" ]; then # Traffic from the service IPs to pods should use the pod network. ip rule add \ from "${SERVICE_CIDR}" \ to "${POD_CIDR}" \ lookup main \ pref 10000 # Other traffic from service IPs should only use the VRRP IP ip rule add \ from "${SERVICE_CIDR}" \ lookup "${TABLE}" \ pref 10100 fi