summaryrefslogtreecommitdiff
path: root/etc/ifstated.conf
blob: 2ba071e914ee853b6f776fc120ca5c961baee87c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# $OpenBSD: ifstated.conf,v 1.2 2004/03/17 23:58:27 mcbride Exp $
# This is a sample config for a pair of firewalls with two interfaces
#
# carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24
# respectively. 

# net.inet.carp.preempt must be enabled (set to 1) for this to work correctly.

# Uncomment one of the following lines to force primary/backup status.
# init state primary
# init-state backup

carp_up = "((carp0 link up) and (carp1 link up))"
carp_down = "((! carp0 link up) and (! carp1 link up))"
carp_sync = "((carp0 link up and carp1 link up) or \
    ((!carp0 link up) and (!carp1 link up)))"

# The "net" addresses are other addresses which can be used to determine
# whether we have connectivity. Make sure the hosts are always up, or 
# test multiple ip's, 'or'-ing the tests.
net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 and \
    "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)'

# The peer addresses below are the real ip addresses of the OTHER firewall
peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 and \
    "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)'

state auto {
	if $carp_up {
		set-state primary
	}
	if $carp_down {
		set-state backup
	}	
}

state primary {
	init {
		run "ifconfig carp0 advskew 10"
		run "ifconfig carp1 advskew 10"
	}
        if ! $net {
                set-state demoted
        }
}

state demoted {
	init {
		run "ifconfig carp0 advskew 254"
		run "ifconfig carp1 advskew 254"
	}
        if $net {
                set-state primary
        }
}

state promoted {
	init {
		run "ifconfig carp0 advskew 0"
		run "ifconfig carp1 advskew 0"
	}
	if $peer or ! $net {
		set-state backup
	}
}

state backup {
	init {
		run "ifconfig carp0 advskew 100"
		run "ifconfig carp1 advskew 100"
	}
	# The "sleep 5" below is a hack to dampen the $carp_sync when we come
        # out of promoted state. Thinking about the correct fix...
	if ! $carp_sync and $net and "sleep 5" every 10 {
		if (! $carp_sync) and $net {
			set-state promoted
		}
	}
}