mcbride
20 years ago
1 changed files with 77 additions and 0 deletions
Split View
Diff Options
-
+77 -0src/etc/ifstated.conf
+ 77
- 0
src/etc/ifstated.conf
View File
| @ -0,0 +1,77 @@ | |||
| # $OpenBSD: ifstated.conf,v 1.1 2004/02/04 23:49:36 mcbride Exp $ | |||
| # This is a sample config for a pair of firewalls with two interfaces | |||
| # | |||
| # carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24 | |||
| # respectively. | |||
| # Uncomment one of the following lines to force primary/backup status. | |||
| # init state primary | |||
| # init-state backup | |||
| carp_up = "((carp0 link up) and (carp1 link up))" | |||
| carp_down = "((! carp0 link up) and (! carp1 link up))" | |||
| carp_sync = "((carp0 link up and carp1 link up) or \ | |||
| ((!carp0 link up) and (!carp1 link up)))" | |||
| # The "net" addresses are other addresses which can be used to determine | |||
| # whether we have connectivity. Make sure the hosts are always up, or | |||
| # test multiple ip's, 'or'-ing the tests. | |||
| net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 and \ | |||
| "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)' | |||
| # The peer addresses below are the real ip addresses of the OTHER firewall | |||
| peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 and \ | |||
| "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)' | |||
| state auto { | |||
| if $carp_up { | |||
| set-state primary | |||
| } | |||
| if $carp_down { | |||
| set-state backup | |||
| } | |||
| } | |||
| state primary { | |||
| init { | |||
| run "ifconfig carp0 advskew 10" | |||
| run "ifconfig carp1 advskew 10" | |||
| } | |||
| if ! $net { | |||
| set-state demoted | |||
| } | |||
| } | |||
| state demoted { | |||
| init { | |||
| run "ifconfig carp0 advskew 254" | |||
| run "ifconfig carp1 advskew 254" | |||
| } | |||
| if $net { | |||
| set-state primary | |||
| } | |||
| } | |||
| state promoted { | |||
| init { | |||
| run "ifconfig carp0 advskew 0" | |||
| run "ifconfig carp1 advskew 0" | |||
| } | |||
| if $peer or ! $net { | |||
| set-state backup | |||
| } | |||
| } | |||
| state backup { | |||
| init { | |||
| run "ifconfig carp0 advskew 100" | |||
| run "ifconfig carp1 advskew 100" | |||
| } | |||
| # The "sleep 5" below is a hack to dampen the $carp_sync when we come | |||
| # out of promoted state. Thinking about the correct fix... | |||
| if ! $carp_sync and $net and "sleep 5" every 10 { | |||
| if (! $carp_sync) and $net { | |||
| set-state promoted | |||
| } | |||
| } | |||
| } | |||