# CONFIGURED BY ANSIBLE define nic = xenbr0 define guests = guestbr0 flush ruleset table ip stateless-dnat { chain diy-dnat { type filter hook prerouting priority -300; iif $nic tcp dport 80 meta mark set 0x01 ip daddr set 10.5.5.201 } chain dunnat-spoof { type filter hook postrouting priority 90; # spoof ourselves or the other node while d-un-natting oif $nic ip saddr 10.5.5.0/24 ct mark == 0x01 ip saddr set 192.168.122.11 oif $nic ip saddr 10.5.5.0/24 ct mark == 0x02 ip saddr set 192.168.122.12 # local traffic e.g. pub_ip 192.168.122.11 for node1 # this conflicts with snat below, using tags instead #oif $nic ip saddr 10.5.5.0/24 ip saddr set {{pub_ip}} } } table netdev guest-cluster { chain convergent-inbound { type filter hook ingress devices = { eth1.100, eth2.100 } priority -500; # nodes - eth{1,2}.100 bitmask wildcards #ether saddr & ff:ff:ff:00:00:00 == 0a:00:00:00:00:00 ip dscp set cs1 #ether saddr & ff:ff:ff:00:00:00 == 0e:00:00:00:00:00 ip dscp set cs2 ether saddr & ff:ff:ff:00:00:00 == 0a:00:00:00:00:00 meta mark set 0x01 ether saddr & ff:ff:ff:00:00:00 == 0e:00:00:00:00:00 meta mark set 0x02 } chain convergent-outbound { type filter hook egress devices = { eth1.100, eth2.100 } priority -500; arp saddr ip 10.5.5.254 drop arp daddr ip 10.5.5.254 drop } } # requires br_netfilter module to be loaded table ip bridge-state { chain to-guest { type filter hook postrouting priority 0; #oif $guests ip daddr 10.5.5.0/24 ip dscp != cs0 ct mark set 0x02 oif $guests ip daddr 10.5.5.0/24 meta mark != 0 ct mark set meta mark } } # outbound traffic for guests, with states table ip nat { chain postrouting { type nat hook postrouting priority 100; oif $nic ip saddr 10.5.5.0/24 snat {{pub_ip}} } }