summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-08-07 14:53:12 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2008-08-07 14:53:12 +0200
commit6cb33c62c8007593d8a85aa202fa173043877135 (patch)
treec3fbcdbffb912d1abcff20846773f0663195c5ab /doc
parenta4f4647b4b7f32f2d1caab98544802c8cdd7b4d6 (diff)
downloadconntrack-tools-6cb33c62c8007593d8a85aa202fa173043877135.tar.gz
conntrack-tools-6cb33c62c8007593d8a85aa202fa173043877135.zip
cache iterators: rework cache_reset_timers
This patch adds the clause PurgeTimeout that sets the new timer when conntrackd -t is called. This command is particularly useful when the sysadmin triggers hand-overs between several nodes without rebooting as it reduces the timers of the remaining entries in the kernel. Thus, avoiding clashes between new and old entries that may trigger INVALID packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
-rw-r--r--doc/sync/alarm/conntrackd.conf11
-rw-r--r--doc/sync/ftfw/conntrackd.conf11
-rw-r--r--doc/sync/keepalived.conf1
-rw-r--r--doc/sync/notrack/conntrackd.conf11
-rwxr-xr-xdoc/sync/primary-backup.sh12
5 files changed, 45 insertions, 1 deletions
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index a65a378..d6f7a2a 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -23,6 +23,17 @@ Sync {
# takeover process is completed.
#
CommitTimeout 180
+
+ #
+ # If the firewall replica goes from primary to backup,
+ # the conntrackd -t command is invoked in the script.
+ # This command resets the timers of the conntracks that
+ # live in the kernel to this new value. This is useful
+ # to purge the connection tracking table of zombie entries
+ # and avoid clashes with old entries if you trigger
+ # several consecutive hand-overs.
+ #
+ PurgeTimeout 15
}
#
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index 6fec9a1..8f4d952 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -16,6 +16,17 @@ Sync {
#
CommitTimeout 180
+ #
+ # If the firewall replica goes from primary to backup,
+ # the conntrackd -t command is invoked in the script.
+ # This command resets the timers of the conntracks that
+ # live in the kernel to this new value. This is useful
+ # to purge the connection tracking table of zombie entries
+ # and avoid clashes with old entries if you trigger
+ # several consecutive hand-overs.
+ #
+ PurgeTimeout 15
+
# Set Acknowledgement window size
ACKWindowSize 20
}
diff --git a/doc/sync/keepalived.conf b/doc/sync/keepalived.conf
index c9c8ac1..84f1383 100644
--- a/doc/sync/keepalived.conf
+++ b/doc/sync/keepalived.conf
@@ -9,6 +9,7 @@ vrrp_sync_group G1 { # must be before vrrp_instance declaration
}
notify_master "/etc/conntrackd/primary-backup.sh primary"
notify_backup "/etc/conntrackd/primary-backup.sh backup"
+ notify_fault "/etc/conntrackd/primary-backup.sh fault"
}
vrrp_instance VI_1 {
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index d54934a..3ce1fa0 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -9,6 +9,17 @@ Sync {
# takeover process is completed.
#
CommitTimeout 180
+
+ #
+ # If the firewall replica goes from primary to backup,
+ # the conntrackd -t command is invoked in the script.
+ # This command resets the timers of the conntracks that
+ # live in the kernel to this new value. This is useful
+ # to purge the connection tracking table of zombie entries
+ # and avoid clashes with old entries if you trigger
+ # several consecutive hand-overs.
+ #
+ PurgeTimeout 15
}
#
diff --git a/doc/sync/primary-backup.sh b/doc/sync/primary-backup.sh
index 27fb1c3..e5331e3 100755
--- a/doc/sync/primary-backup.sh
+++ b/doc/sync/primary-backup.sh
@@ -95,9 +95,19 @@ case "$1" in
logger "ERROR: failed to invoke conntrackd -n"
fi
;;
+ fault)
+ #
+ # shorten kernel conntrack timers to remove the zombie entries.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -t"
+ fi
+ ;;
*)
logger "ERROR: unknown state transition"
- echo "Usage: primary-backup.sh {primary|backup}"
+ echo "Usage: primary-backup.sh {primary|backup|fault}"
exit 1
;;
esac