Provide a simpler example ifstated.conf.

The existing example was written over a decade ago, when carp(4) was not supporting carpdemote and did not track it's interfaces link state itself. OK jmc@, rob@
6 years ago · 4c830fd207
--- a/src/etc/examples/ifstated.conf
+++ b/src/etc/examples/ifstated.conf
@ -1,72 +1,52 @@
 # $OpenBSD: ifstated.conf,v 1.1 2014/07/11 16:36:35 deraadt Exp $
 # This is a sample config for a pair of firewalls with two interfaces
 # $OpenBSD: ifstated.conf,v 1.2 2018/01/20 23:07:58 mpf Exp $
 # This is a sample config for a pair of firewalls with three physical interfaces
 #
 # carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24
 # respectively.

 # net.inet.carp.preempt must be enabled (set to 1) for this to work correctly.

 # Uncomment one of the following lines to force primary/backup status.
 # init-state primary
 # init-state backup

 carp_up = "carp0.link.up && carp1.link.up"
 carp_down = "!carp0.link.up && !carp1.link.up"
 carp_sync = "carp0.link.up && carp1.link.up || \
    !carp0.link.up && !carp1.link.up"

 # The "net" addresses are other addresses which can be used to determine
 # whether we have connectivity. Make sure the hosts are always up, or
 # test multiple ip's, 'or'-ing the tests.
 net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 && \
    "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)'

 # The peer addresses below are the real ip addresses of the OTHER firewall
 peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 && \
    "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)'

 state auto {
 	if $carp_up
 		set-state primary
 	if $carp_down
 		set-state backup
 }

 state primary {
 	init {
 		run "ifconfig carp0 advskew 10"
 		run "ifconfig carp1 advskew 10"
 # The two firefall interfaces are made redundant on each side using 
 # carp0 and carp1.
 #
 # A third interface em2 connects each firewall to the DMZ where it can
 # reach a syslog server with the IP 192.168.1.10
 # 
 # This config does two things:
 #  1. Monitor the reachability of the syslog server and demote
 #     the carp interface group to provoke a failover if the syslog server
 #     is not reachable. We do that by using ping(1) and checking
 #     the link state of em2.
 #  2. Log carp failovers


 dmz_if_up = 'em2.link.up'
 dmz_if_down = 'em2.link.down'

 syslog_ok = '"ping -q -c 1 -w 1 192.168.1.10 >/dev/null 2>&1" every 10'

 # ifstated starts up with the first defined state
 state neutral {
 	if $dmz_if_down {
 		run "logger -st ifstated 'interface to syslog server em2 is down'"
 		set-state demoted
 	}
 	if ! $net
 	if ! $syslog_ok {
 		run "logger -st ifstated 'could not reach syslog server'"
 		set-state demoted
 	}
 }

 state demoted {
 	init {
 		run "ifconfig carp0 advskew 254"
 		run "ifconfig carp1 advskew 254"
 		run "ifconfig -g carp carpdemote" 
 	}
 	if $net
 		set-state primary
 }

 state promoted {
 	init {
 		run "ifconfig carp0 advskew 0"
 		run "ifconfig carp1 advskew 0"
 	if $dmz_if_up && $syslog_ok {
 		run "logger -st ifstated 'syslog server is ok again'"
 		# remove our carp demotion
 		run "ifconfig -g carp -carpdemote" 
 		set-state neutral
 	}
 	if $peer || ! $net
 		set-state backup
 }

 state backup {
 	init {
 		run "ifconfig carp0 advskew 100"
 		run "ifconfig carp1 advskew 100"
 	}
 	# The "sleep 5" below is a hack to dampen the $carp_sync when we come
 	# out of promoted state. Thinking about the correct fix...
 	if ! $carp_sync && $net && "sleep 5" every 10
 		if ! $carp_sync && $net
 			set-state promoted
 }
 # commands in the global scope are always run
 if carp0.link.up
 	run "logger -st ifstated 'carp0 is master'"
 if carp0.link.down
 	run "logger -st ifstated 'carp0 is backup'"