@ -1,4 +1,4 @@
# $OpenBSD: ifstated.conf,v 1.4 2004/04/28 01:01:27 deraadt Exp $
# $OpenBSD: ifstated.conf,v 1.5 2005/02/03 17:51:12 mpf Exp $
# This is a sample config for a pair of firewalls with two interfaces # This is a sample config for a pair of firewalls with two interfaces
# #
# carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24 # carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24
@ -10,28 +10,26 @@
# init-state primary # init-state primary
# init-state backup # init-state backup
carp_up = "((carp0 link up) and (carp1 link up)) "
carp_down = "((! carp0 link up) and (! carp1 link up)) "
carp_sync = "((carp0 link up and carp1 link up) or \
((!carp0 link up) and (!carp1 link up))) "
carp_up = "carp0.link.up && carp1.link.up "
carp_down = "!carp0.link.up && !carp1.link.up "
carp_sync = "carp0.link.up && carp1.link.up || \
!carp0.link.up && !carp1.link.up "
# The "net" addresses are other addresses which can be used to determine # The "net" addresses are other addresses which can be used to determine
# whether we have connectivity. Make sure the hosts are always up, or # whether we have connectivity. Make sure the hosts are always up, or
# test multiple ip's, 'or'-ing the tests. # test multiple ip's, 'or'-ing the tests.
net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 and \
net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 && \
"ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)' "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)'
# The peer addresses below are the real ip addresses of the OTHER firewall # The peer addresses below are the real ip addresses of the OTHER firewall
peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 and \
peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 && \
"ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)' "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)'
state auto { state auto {
if $carp_up {
if $carp_up
set-state primary set-state primary
}
if $carp_down {
if $carp_down
set-state backup set-state backup
}
} }
state primary { state primary {
@ -39,9 +37,8 @@ state primary {
run "ifconfig carp0 advskew 10" run "ifconfig carp0 advskew 10"
run "ifconfig carp1 advskew 10" run "ifconfig carp1 advskew 10"
} }
if ! $net {
if ! $net
set-state demoted set-state demoted
}
} }
state demoted { state demoted {
@ -49,9 +46,8 @@ state demoted {
run "ifconfig carp0 advskew 254" run "ifconfig carp0 advskew 254"
run "ifconfig carp1 advskew 254" run "ifconfig carp1 advskew 254"
} }
if $net {
if $net
set-state primary set-state primary
}
} }
state promoted { state promoted {
@ -59,9 +55,8 @@ state promoted {
run "ifconfig carp0 advskew 0" run "ifconfig carp0 advskew 0"
run "ifconfig carp1 advskew 0" run "ifconfig carp1 advskew 0"
} }
if $peer or ! $net {
if $peer || ! $net
set-state backup set-state backup
}
} }
state backup { state backup {
@ -71,9 +66,7 @@ state backup {
} }
# The "sleep 5" below is a hack to dampen the $carp_sync when we come # The "sleep 5" below is a hack to dampen the $carp_sync when we come
# out of promoted state. Thinking about the correct fix... # out of promoted state. Thinking about the correct fix...
if ! $carp_sync and $net and "sleep 5" every 10 {
if (! $carp_sync) and $net {
if ! $carp_sync && $net && "sleep 5" every 10
if ! $carp_sync && $net
set-state promoted set-state promoted
}
}
} }
mpf
20 years ago