Annotation of src/etc/ifstated.conf, Revision 1.5
1.5 ! mpf 1: # $OpenBSD: ifstated.conf,v 1.4 2004/04/28 01:01:27 deraadt Exp $
1.1 mcbride 2: # This is a sample config for a pair of firewalls with two interfaces
3: #
4: # carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24
1.4 deraadt 5: # respectively.
1.2 mcbride 6:
7: # net.inet.carp.preempt must be enabled (set to 1) for this to work correctly.
1.1 mcbride 8:
9: # Uncomment one of the following lines to force primary/backup status.
1.3 mcbride 10: # init-state primary
1.1 mcbride 11: # init-state backup
12:
1.5 ! mpf 13: carp_up = "carp0.link.up && carp1.link.up"
! 14: carp_down = "!carp0.link.up && !carp1.link.up"
! 15: carp_sync = "carp0.link.up && carp1.link.up || \
! 16: !carp0.link.up && !carp1.link.up"
1.1 mcbride 17:
18: # The "net" addresses are other addresses which can be used to determine
1.4 deraadt 19: # whether we have connectivity. Make sure the hosts are always up, or
1.1 mcbride 20: # test multiple ip's, 'or'-ing the tests.
1.5 ! mpf 21: net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 && \
1.1 mcbride 22: "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)'
23:
24: # The peer addresses below are the real ip addresses of the OTHER firewall
1.5 ! mpf 25: peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 && \
1.1 mcbride 26: "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)'
27:
28: state auto {
1.5 ! mpf 29: if $carp_up
1.1 mcbride 30: set-state primary
1.5 ! mpf 31: if $carp_down
1.1 mcbride 32: set-state backup
33: }
34:
35: state primary {
36: init {
37: run "ifconfig carp0 advskew 10"
38: run "ifconfig carp1 advskew 10"
39: }
1.5 ! mpf 40: if ! $net
1.1 mcbride 41: set-state demoted
42: }
43:
44: state demoted {
45: init {
46: run "ifconfig carp0 advskew 254"
47: run "ifconfig carp1 advskew 254"
48: }
1.5 ! mpf 49: if $net
1.1 mcbride 50: set-state primary
51: }
52:
53: state promoted {
54: init {
55: run "ifconfig carp0 advskew 0"
56: run "ifconfig carp1 advskew 0"
57: }
1.5 ! mpf 58: if $peer || ! $net
1.1 mcbride 59: set-state backup
60: }
61:
62: state backup {
63: init {
64: run "ifconfig carp0 advskew 100"
65: run "ifconfig carp1 advskew 100"
66: }
67: # The "sleep 5" below is a hack to dampen the $carp_sync when we come
68: # out of promoted state. Thinking about the correct fix...
1.5 ! mpf 69: if ! $carp_sync && $net && "sleep 5" every 10
! 70: if ! $carp_sync && $net
1.1 mcbride 71: set-state promoted
72: }