=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/etc/Attic/ifstated.conf,v retrieving revision 1.4 retrieving revision 1.5 diff -c -r1.4 -r1.5 *** src/etc/Attic/ifstated.conf 2004/04/28 01:01:27 1.4 --- src/etc/Attic/ifstated.conf 2005/02/03 17:51:12 1.5 *************** *** 1,4 **** ! # $OpenBSD: ifstated.conf,v 1.4 2004/04/28 01:01:27 deraadt Exp $ # This is a sample config for a pair of firewalls with two interfaces # # carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24 --- 1,4 ---- ! # $OpenBSD: ifstated.conf,v 1.5 2005/02/03 17:51:12 mpf Exp $ # This is a sample config for a pair of firewalls with two interfaces # # carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24 *************** *** 10,37 **** # init-state primary # init-state backup ! carp_up = "((carp0 link up) and (carp1 link up))" ! carp_down = "((! carp0 link up) and (! carp1 link up))" ! carp_sync = "((carp0 link up and carp1 link up) or \ ! ((!carp0 link up) and (!carp1 link up)))" # The "net" addresses are other addresses which can be used to determine # whether we have connectivity. Make sure the hosts are always up, or # test multiple ip's, 'or'-ing the tests. ! net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 and \ "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)' # The peer addresses below are the real ip addresses of the OTHER firewall ! peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 and \ "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)' state auto { ! if $carp_up { set-state primary ! } ! if $carp_down { set-state backup - } } state primary { --- 10,35 ---- # init-state primary # init-state backup ! carp_up = "carp0.link.up && carp1.link.up" ! carp_down = "!carp0.link.up && !carp1.link.up" ! carp_sync = "carp0.link.up && carp1.link.up || \ ! !carp0.link.up && !carp1.link.up" # The "net" addresses are other addresses which can be used to determine # whether we have connectivity. Make sure the hosts are always up, or # test multiple ip's, 'or'-ing the tests. ! net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 && \ "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)' # The peer addresses below are the real ip addresses of the OTHER firewall ! peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 && \ "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)' state auto { ! if $carp_up set-state primary ! if $carp_down set-state backup } state primary { *************** *** 39,47 **** run "ifconfig carp0 advskew 10" run "ifconfig carp1 advskew 10" } ! if ! $net { set-state demoted - } } state demoted { --- 37,44 ---- run "ifconfig carp0 advskew 10" run "ifconfig carp1 advskew 10" } ! if ! $net set-state demoted } state demoted { *************** *** 49,57 **** run "ifconfig carp0 advskew 254" run "ifconfig carp1 advskew 254" } ! if $net { set-state primary - } } state promoted { --- 46,53 ---- run "ifconfig carp0 advskew 254" run "ifconfig carp1 advskew 254" } ! if $net set-state primary } state promoted { *************** *** 59,67 **** run "ifconfig carp0 advskew 0" run "ifconfig carp1 advskew 0" } ! if $peer or ! $net { set-state backup - } } state backup { --- 55,62 ---- run "ifconfig carp0 advskew 0" run "ifconfig carp1 advskew 0" } ! if $peer || ! $net set-state backup } state backup { *************** *** 71,79 **** } # The "sleep 5" below is a hack to dampen the $carp_sync when we come # out of promoted state. Thinking about the correct fix... ! if ! $carp_sync and $net and "sleep 5" every 10 { ! if (! $carp_sync) and $net { set-state promoted - } - } } --- 66,72 ---- } # The "sleep 5" below is a hack to dampen the $carp_sync when we come # out of promoted state. Thinking about the correct fix... ! if ! $carp_sync && $net && "sleep 5" every 10 ! if ! $carp_sync && $net set-state promoted }