Bug 1026367 - Improving oo-admin-ctl-iptables-port-proxy "UI"

Previously the restart, reload, stop and status commands were noop. This can be confusing for admins. Now: stop: flushes the rhc-app-comm chain restart: calls stop then start reload: calls start status: removed The motivation for this is the following: 1 Admin sees something weird with the rhc-app-comm chain not working as expected 2 Admin runs `for s in 'iptables network openshift-iptables-port-proxy'; do server $s restart' 3 Admin notices rhc-app-comm is still empty and is really confused In this case the event that trigged #1 is that net.ipv4.conf.all.route_localnet wasn't set in /etc/sysctl.conf.
openshift · Nov 4, 2013 · b6c3655 · b6c3655
1 parent 748d0bf
commit b6c3655
Showing 1 changed file with 24 additions and 10 deletions.
diff --git a/node/misc/sbin/oo-admin-ctl-iptables-port-proxy b/node/misc/sbin/oo-admin-ctl-iptables-port-proxy
@@ -6,25 +6,39 @@
 # Description: Script to apply the openshift port proxy iptables rules.
 ### END INIT INFO
 
+start() {
+    if [ -f /etc/openshift/iptables.filter.rules ]; then
+      { echo "*filter"; cat /etc/openshift/iptables.filter.rules; echo "COMMIT"; } | iptables-restore -n
+    fi
+
+    if [ -f /etc/openshift/iptables.nat.rules ]; then
+      { echo "*nat"; cat /etc/openshift/iptables.nat.rules; echo "COMMIT"; } | iptables-restore -n
+    fi
+}
+
+stop() {
+    # Droping the reference from the input chain would needlessly complicate
+    # this logic.  For that reason we can't actually drop the chain.  This will
+    # allow admins to flush the chain if needed.
+    iptables -F rhc-app-comm
+}
+
 case "$1" in
     start)
-        if [ -f /etc/openshift/iptables.filter.rules ]; then
-          { echo "*filter"; cat /etc/openshift/iptables.filter.rules; echo "COMMIT"; } | iptables-restore -n
-        fi
-
-        if [ -f /etc/openshift/iptables.nat.rules ]; then
-          { echo "*nat"; cat /etc/openshift/iptables.nat.rules; echo "COMMIT"; } | iptables-restore -n
-        fi
+        start
         ;;
     stop)
+        stop
         ;;
     restart)
+        stop
+        start
         ;;
     reload)
-        ;;
-    status)
+	# Calling stop could cause an outage.  It's best to simply call start.
+        start
         ;;
     *)
-        echo $"Usage: $0 {start|stop|status|restart|reload}"
+        echo $"Usage: $0 {start|stop|restart|reload}"
         exit 2
 esac