- # $OpenBSD: ifstated.conf,v 1.6 2005/02/07 06:08:10 david Exp $
- # This is a sample config for a pair of firewalls with two interfaces
- #
- # carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24
- # respectively.
-
- # net.inet.carp.preempt must be enabled (set to 1) for this to work correctly.
-
- # Uncomment one of the following lines to force primary/backup status.
- # init-state primary
- # init-state backup
-
- carp_up = "carp0.link.up && carp1.link.up"
- carp_down = "!carp0.link.up && !carp1.link.up"
- carp_sync = "carp0.link.up && carp1.link.up || \
- !carp0.link.up && !carp1.link.up"
-
- # The "net" addresses are other addresses which can be used to determine
- # whether we have connectivity. Make sure the hosts are always up, or
- # test multiple ip's, 'or'-ing the tests.
- net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 && \
- "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)'
-
- # The peer addresses below are the real ip addresses of the OTHER firewall
- peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 && \
- "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)'
-
- state auto {
- if $carp_up
- set-state primary
- if $carp_down
- set-state backup
- }
-
- state primary {
- init {
- run "ifconfig carp0 advskew 10"
- run "ifconfig carp1 advskew 10"
- }
- if ! $net
- set-state demoted
- }
-
- state demoted {
- init {
- run "ifconfig carp0 advskew 254"
- run "ifconfig carp1 advskew 254"
- }
- if $net
- set-state primary
- }
-
- state promoted {
- init {
- run "ifconfig carp0 advskew 0"
- run "ifconfig carp1 advskew 0"
- }
- if $peer || ! $net
- set-state backup
- }
-
- state backup {
- init {
- run "ifconfig carp0 advskew 100"
- run "ifconfig carp1 advskew 100"
- }
- # The "sleep 5" below is a hack to dampen the $carp_sync when we come
- # out of promoted state. Thinking about the correct fix...
- if ! $carp_sync && $net && "sleep 5" every 10
- if ! $carp_sync && $net
- set-state promoted
- }
|
