[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: quest for ifstated

On Mon 21 Jun 2004, Jeff Wilson wrote:
> On Mon, 21 Jun 2004, Lars Hansson wrote:
> Also, where can I lurk to find out more about ifstated?  I 
> understand it's brand-spanking-new, so asking for more man 
> pages right this minute is like asking for that slap opside 
> the head -- but is there an active mailing list where 
> ifstated issues are currently under discussion?
(This post is somewhat answering this question, but migt be 
out of this lists domain, sorry)
<CARP out-of-sync> problem
http://www.benzedrine.cx/pf/msg04613.html (1)
http://archives.neohapsis.com/archives/openbsd/2004-03/1946.html (2)
http://monkey.org/openbsd/archive/misc/0405/msg01789.html (3)
or: google: pfstated.conf
or check /src/etc/ifstated.conf for sample config file.
Only problem is, it does not work as intended. Not for
me anyways. (ifstated still in ports).
I have tried to get ifstated working to solve the <out-of-sync> 
state that carp interfaces sometimes ends up with if one 
of the physical interfaces goes down.
The <out-of-sync> state leaves the master firewall master on the
working interface, while the backup firewall is master on the other. 
IOW: deadlock.
The ifstated is supposed to solve this, but I have tried the 
ifstated.conf example file, without any luck. 
Seems to be a problem with running console commands in Macros.
Eg. '( "ping -q -c 1 -w 1 > /dev/null" every 10 and \
	"ping -q -c 1 -w 1 > /dev/null" every 10 )'
Should return 0 if both pings where successful. Actually i would
'or' this rather than 'and' -ing it, since ping returns 0 on
success. Thereby the variable would contain 1 if either of the
ip-address where unavailable. YMMV.
But this macro won't work. Why, I don't know. It seems not to 
run at all. Using 'run "cmd"' works fine though.
So, you will have to stick with the "(if0 link up)" stuff. This 
macro senses the status of the interface, eg. active, no carrier.
Actuallt, it is the only thing i have working at the moment,
at least untill any useful man pages for the conf file show up.
Here is my ifstated.conf:
init-state master
## is 1 if both interfaces are up
if_up = "((if0 link up) and (if1 link up))"
## is 1 if one or both interfaces are down
if_down = "((! if0 link up) or (! if1 link up))"
## is 1 if both carp interfaces are up
carp_master = "((carp0 link up) and (carp1 link up))"
## is 1 if one or both carp interfaces are down
carp_backup = "((! carp0 link up) or (! carp1 link up))"
## this wont work, not using :(
## should be 1 if one or both ip-addresses are unreachable
#ping_failed = '( "ping -q -c 1 -w 1 > /dev/null" every 5 or \
#                 "ping -q -c 1 -w 1 > /dev/null" every 5 )'
state master {
        init {
                run "ifconfig carp0 advskew 10"
                run "ifconfig carp1 advskew 10"
        if ($if_down or $carp_backup) {
                set-state demoted
state demoted {
        init {
                run "ifconfig carp0 advskew 254"
                run "ifconfig carp1 advskew 254"
        if ($if_up and $carp_master) {
                set-state master
        if ($if_down or $carp_backup) {
                set-state backup
state promoted {
        init {
                run "ifconfig carp0 advskew 0"
                run "ifconfig carp1 advskew 0"
        if ($if_up and $carp_master) {
                set-state master
        if ($if_down or $carp_backup) {
                set-state backup
state backup {
        init {
                run "ifconfig carp0 advskew 110"
                run "ifconfig carp1 advskew 110"
        if ($if_up or $carp_master) {
                set-state promoted
I run this only on the master, and set the advskew on the
backup firewall to 100. This way, if the master gets demoted,
the backup firewall will have a higer advskew than the
demotet master. Actually, you could go with only master and
backup state here, but just to be safe, i set advskew to
max when demoting, and min when promoting...
Let CARP handle the rest.....You might still suffer from
the <out-of-sync> problem though, but it should kick in if
you unplug one of the network cables.