Commit 5de04da0 authored by Vitaly Lipatov's avatar Vitaly Lipatov

route-update: flush routes via commented-out gateways; route-health: stricter tunnel checks

route-update.sh: - After loading routes, detect and remove routes via gateways that were commented out or removed from the gateway file. Previously only stale destination IPs were cleaned up, leaving routes via disabled gateways. route-health.sh: - For tunnel gateways (ikev2/gre/openconnect/ovpn/xray/amneziawg/cloak/warp), require VPN status and iperf3 data — missing data means dead, not skip. - Use base (v4) tag for VPN/iperf3 lookups on .v6 gateways (they share tunnel). - Reduce ping query window from 3m to 1m (matches Telegraf 30s interval). Co-Authored-By: 's avatarClaude Opus 4.6 (1M context) <noreply@anthropic.com>
parent 385b6521
......@@ -41,7 +41,7 @@ trap 'rm -f "$HEALTH_DATA" "$VPN_DATA" "$IPERF_DATA"' EXIT
response=$(curl -sG "$INFLUXDB_URL" \
--data-urlencode "db=$INFLUXDB_DB" \
--data-urlencode "q=SELECT last(percent_packet_loss) FROM ping WHERE time > now() - 3m GROUP BY gateway" \
--data-urlencode "q=SELECT last(percent_packet_loss) FROM ping WHERE time > now() - 1m GROUP BY gateway" \
--max-time 5 2>/dev/null)
vpn_response=$(curl -sG "$INFLUXDB_URL" \
......@@ -85,28 +85,50 @@ if [ -n "$SHOW" ] ; then
echo
fi
# Check if tag is a tunnel gateway (expects VPN monitoring)
is_tunnel_gw()
{
case "$1" in
ikev2.*|gre.*|openconnect.*|ovpn.*|xray.*|amneziawg.*|cloak.*|warp*) return 0 ;;
*) return 1 ;;
esac
}
# Get health status for a monitor tag
# Usage: get_health TAG
# Returns: healthy, degraded, dead
# Returns: healthy, dead
# Checks: VPN tunnel status, iperf3 bandwidth, packet loss (ping)
# For tunnel gateways: connected = VPN up + ping through tunnel
get_health()
{
local tag="$1"
# For .v6 tags, VPN/iperf3 data is under the base (v4) tag
local base_tag="${tag%.v6}"
# Check VPN status first — if tunnel is down, immediately dead
local vpn=$(grep "^${tag} " "$VPN_DATA" 2>/dev/null | awk '{print $2}')
# Check VPN status — connected requires vpn=1 AND ping success
local vpn=$(grep "^${base_tag} " "$VPN_DATA" 2>/dev/null | awk '{print $2}')
if [ "$vpn" = "0" ] ; then
echo "dead"
return
fi
# For tunnel gateways, missing VPN data = dead (container unreachable)
if [ -z "$vpn" ] && is_tunnel_gw "$tag" ; then
echo "dead"
return
fi
# Check iperf3 — if test failed (success=0), dead
local iperf_success=$(grep "^${tag} " "$IPERF_DATA" 2>/dev/null | awk '{print $2}')
# Check iperf3 — if test failed or no data for tunnel gw, dead
local iperf_success=$(grep "^${base_tag} " "$IPERF_DATA" 2>/dev/null | awk '{print $2}')
if [ "$iperf_success" = "0" ] ; then
echo "dead"
return
fi
if [ -z "$iperf_success" ] && is_tunnel_gw "$tag" ; then
echo "dead"
return
fi
# Check ping — no data or high loss = dead
local loss=$(grep "^${tag} " "$HEALTH_DATA" | awk '{print $2}')
if [ -z "$loss" ] ; then
......
......@@ -709,6 +709,29 @@ for line in sys.stdin:
fi
rm -f "$stale"
# Remove routes via commented-out or removed gateways
local _active_gws=$(mktemp)
read_values "$_gwdir/gateway" | while IFS= read -r gw_line ; do
parse_gw_line "$gw_line" "$_ipcmd"
[ -n "$gw_ip" ] && echo "$gw_ip"
done | sort -u > "$_active_gws"
local _table_gws=$(mktemp)
$_ipcmd route show table "$_table" 2>/dev/null | \
awk '{for(i=1;i<=NF;i++) if($i=="via") print $(i+1)}' | \
sort -u > "$_table_gws"
local _stale_gw_list=$(comm -23 "$_table_gws" "$_active_gws")
rm -f "$_active_gws" "$_table_gws"
if [ -n "$_stale_gw_list" ] ; then
for _old_gw in $_stale_gw_list ; do
local _gw_cnt=$($_ipcmd route show table "$_table" 2>/dev/null | grep -c "via $_old_gw ")
log "$_tag$_label removing $_gw_cnt routes via stale gateway $_old_gw"
$_ipcmd route flush table "$_table" via "$_old_gw" 2>/dev/null || true
done
fi
# Verify route count (unique dst IPs)
local actual=$($_ipcmd route show table "$_table" 2>/dev/null | awk '/^[^\t ]/{print $1}' | sort -u | wc -l)
if [ "$actual" != "$count" ] ; then
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment