-# $OpenBSD: ifstated.conf,v 1.1 2014/07/11 16:36:35 deraadt Exp $
-# This is a sample config for a pair of firewalls with two interfaces
+# $OpenBSD: ifstated.conf,v 1.2 2018/01/20 23:07:58 mpf Exp $
+# This is a sample config for a pair of firewalls with three physical interfaces
#
-# carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24
-# respectively.
-
-# net.inet.carp.preempt must be enabled (set to 1) for this to work correctly.
-
-# Uncomment one of the following lines to force primary/backup status.
-# init-state primary
-# init-state backup
-
-carp_up = "carp0.link.up && carp1.link.up"
-carp_down = "!carp0.link.up && !carp1.link.up"
-carp_sync = "carp0.link.up && carp1.link.up || \
- !carp0.link.up && !carp1.link.up"
-
-# The "net" addresses are other addresses which can be used to determine
-# whether we have connectivity. Make sure the hosts are always up, or
-# test multiple ip's, 'or'-ing the tests.
-net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 && \
- "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)'
-
-# The peer addresses below are the real ip addresses of the OTHER firewall
-peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 && \
- "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)'
-
-state auto {
- if $carp_up
- set-state primary
- if $carp_down
- set-state backup
-}
-
-state primary {
- init {
- run "ifconfig carp0 advskew 10"
- run "ifconfig carp1 advskew 10"
+# The two firefall interfaces are made redundant on each side using
+# carp0 and carp1.
+#
+# A third interface em2 connects each firewall to the DMZ where it can
+# reach a syslog server with the IP 192.168.1.10
+#
+# This config does two things:
+# 1. Monitor the reachability of the syslog server and demote
+# the carp interface group to provoke a failover if the syslog server
+# is not reachable. We do that by using ping(1) and checking
+# the link state of em2.
+# 2. Log carp failovers
+
+
+dmz_if_up = 'em2.link.up'
+dmz_if_down = 'em2.link.down'
+
+syslog_ok = '"ping -q -c 1 -w 1 192.168.1.10 >/dev/null 2>&1" every 10'
+
+# ifstated starts up with the first defined state
+state neutral {
+ if $dmz_if_down {
+ run "logger -st ifstated 'interface to syslog server em2 is down'"
+ set-state demoted
}
- if ! $net
+ if ! $syslog_ok {
+ run "logger -st ifstated 'could not reach syslog server'"
set-state demoted
+ }
}
state demoted {
init {
- run "ifconfig carp0 advskew 254"
- run "ifconfig carp1 advskew 254"
+ run "ifconfig -g carp carpdemote"
}
- if $net
- set-state primary
-}
-
-state promoted {
- init {
- run "ifconfig carp0 advskew 0"
- run "ifconfig carp1 advskew 0"
+ if $dmz_if_up && $syslog_ok {
+ run "logger -st ifstated 'syslog server is ok again'"
+ # remove our carp demotion
+ run "ifconfig -g carp -carpdemote"
+ set-state neutral
}
- if $peer || ! $net
- set-state backup
}
-state backup {
- init {
- run "ifconfig carp0 advskew 100"
- run "ifconfig carp1 advskew 100"
- }
- # The "sleep 5" below is a hack to dampen the $carp_sync when we come
- # out of promoted state. Thinking about the correct fix...
- if ! $carp_sync && $net && "sleep 5" every 10
- if ! $carp_sync && $net
- set-state promoted
-}
+# commands in the global scope are always run
+if carp0.link.up
+ run "logger -st ifstated 'carp0 is master'"
+if carp0.link.down
+ run "logger -st ifstated 'carp0 is backup'"
+
projects / openbsd / commitdiff