From 22dd96707e48934282f3e7634a79a1ba44971c2b Mon Sep 17 00:00:00 2001 From: mcbride <> Date: Wed, 4 Feb 2004 23:49:36 +0000 Subject: [PATCH] Add initial sample config for ifstated. Syntax will change. ok deraadt@ --- src/etc/ifstated.conf | 77 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 src/etc/ifstated.conf diff --git a/src/etc/ifstated.conf b/src/etc/ifstated.conf new file mode 100644 index 00000000..ecdbe9c4 --- /dev/null +++ b/src/etc/ifstated.conf @@ -0,0 +1,77 @@ +# $OpenBSD: ifstated.conf,v 1.1 2004/02/04 23:49:36 mcbride Exp $ +# This is a sample config for a pair of firewalls with two interfaces +# +# carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24 +# respectively. + +# Uncomment one of the following lines to force primary/backup status. +# init state primary +# init-state backup + +carp_up = "((carp0 link up) and (carp1 link up))" +carp_down = "((! carp0 link up) and (! carp1 link up))" +carp_sync = "((carp0 link up and carp1 link up) or \ + ((!carp0 link up) and (!carp1 link up)))" + +# The "net" addresses are other addresses which can be used to determine +# whether we have connectivity. Make sure the hosts are always up, or +# test multiple ip's, 'or'-ing the tests. +net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 and \ + "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)' + +# The peer addresses below are the real ip addresses of the OTHER firewall +peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 and \ + "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)' + +state auto { + if $carp_up { + set-state primary + } + if $carp_down { + set-state backup + } +} + +state primary { + init { + run "ifconfig carp0 advskew 10" + run "ifconfig carp1 advskew 10" + } + if ! $net { + set-state demoted + } +} + +state demoted { + init { + run "ifconfig carp0 advskew 254" + run "ifconfig carp1 advskew 254" + } + if $net { + set-state primary + } +} + +state promoted { + init { + run "ifconfig carp0 advskew 0" + run "ifconfig carp1 advskew 0" + } + if $peer or ! $net { + set-state backup + } +} + +state backup { + init { + run "ifconfig carp0 advskew 100" + run "ifconfig carp1 advskew 100" + } + # The "sleep 5" below is a hack to dampen the $carp_sync when we come + # out of promoted state. Thinking about the correct fix... + if ! $carp_sync and $net and "sleep 5" every 10 { + if (! $carp_sync) and $net { + set-state promoted + } + } +}