diff options
-rw-r--r-- | etc/examples/ifstated.conf | 102 |
1 files changed, 41 insertions, 61 deletions
diff --git a/etc/examples/ifstated.conf b/etc/examples/ifstated.conf index da2163f8e08..7a3b326ee43 100644 --- a/etc/examples/ifstated.conf +++ b/etc/examples/ifstated.conf @@ -1,72 +1,52 @@ -# $OpenBSD: ifstated.conf,v 1.1 2014/07/11 16:36:35 deraadt Exp $ -# This is a sample config for a pair of firewalls with two interfaces +# $OpenBSD: ifstated.conf,v 1.2 2018/01/20 23:07:58 mpf Exp $ +# This is a sample config for a pair of firewalls with three physical interfaces # -# carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24 -# respectively. - -# net.inet.carp.preempt must be enabled (set to 1) for this to work correctly. - -# Uncomment one of the following lines to force primary/backup status. -# init-state primary -# init-state backup - -carp_up = "carp0.link.up && carp1.link.up" -carp_down = "!carp0.link.up && !carp1.link.up" -carp_sync = "carp0.link.up && carp1.link.up || \ - !carp0.link.up && !carp1.link.up" - -# The "net" addresses are other addresses which can be used to determine -# whether we have connectivity. Make sure the hosts are always up, or -# test multiple ip's, 'or'-ing the tests. -net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 && \ - "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)' - -# The peer addresses below are the real ip addresses of the OTHER firewall -peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 && \ - "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)' - -state auto { - if $carp_up - set-state primary - if $carp_down - set-state backup -} - -state primary { - init { - run "ifconfig carp0 advskew 10" - run "ifconfig carp1 advskew 10" +# The two firefall interfaces are made redundant on each side using +# carp0 and carp1. +# +# A third interface em2 connects each firewall to the DMZ where it can +# reach a syslog server with the IP 192.168.1.10 +# +# This config does two things: +# 1. Monitor the reachability of the syslog server and demote +# the carp interface group to provoke a failover if the syslog server +# is not reachable. We do that by using ping(1) and checking +# the link state of em2. +# 2. Log carp failovers + + +dmz_if_up = 'em2.link.up' +dmz_if_down = 'em2.link.down' + +syslog_ok = '"ping -q -c 1 -w 1 192.168.1.10 >/dev/null 2>&1" every 10' + +# ifstated starts up with the first defined state +state neutral { + if $dmz_if_down { + run "logger -st ifstated 'interface to syslog server em2 is down'" + set-state demoted } - if ! $net + if ! $syslog_ok { + run "logger -st ifstated 'could not reach syslog server'" set-state demoted + } } state demoted { init { - run "ifconfig carp0 advskew 254" - run "ifconfig carp1 advskew 254" + run "ifconfig -g carp carpdemote" } - if $net - set-state primary -} - -state promoted { - init { - run "ifconfig carp0 advskew 0" - run "ifconfig carp1 advskew 0" + if $dmz_if_up && $syslog_ok { + run "logger -st ifstated 'syslog server is ok again'" + # remove our carp demotion + run "ifconfig -g carp -carpdemote" + set-state neutral } - if $peer || ! $net - set-state backup } -state backup { - init { - run "ifconfig carp0 advskew 100" - run "ifconfig carp1 advskew 100" - } - # The "sleep 5" below is a hack to dampen the $carp_sync when we come - # out of promoted state. Thinking about the correct fix... - if ! $carp_sync && $net && "sleep 5" every 10 - if ! $carp_sync && $net - set-state promoted -} +# commands in the global scope are always run +if carp0.link.up + run "logger -st ifstated 'carp0 is master'" +if carp0.link.down + run "logger -st ifstated 'carp0 is backup'" + |