summaryrefslogtreecommitdiff
path: root/doc/sync/alarm
diff options
context:
space:
mode:
Diffstat (limited to 'doc/sync/alarm')
-rw-r--r--doc/sync/alarm/conntrackd.conf (renamed from doc/sync/alarm/node1/conntrackd.conf)44
-rw-r--r--doc/sync/alarm/keepalived.conf (renamed from doc/sync/alarm/node1/keepalived.conf)0
-rw-r--r--doc/sync/alarm/node2/conntrackd.conf170
-rw-r--r--doc/sync/alarm/node2/keepalived.conf39
4 files changed, 36 insertions, 217 deletions
diff --git a/doc/sync/alarm/node1/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index ffd6b4a..a65a378 100644
--- a/doc/sync/alarm/node1/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -35,11 +35,33 @@ Sync {
# iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
#
Multicast {
+ #
+ # Multicast address: The address that you use as destination
+ # in the synchronization messages. You do not have to add
+ # this IP to any of your existing interfaces. If any doubt,
+ # do not modify this value.
+ #
IPv4_address 225.0.0.50
- IPv4_interface 192.168.100.100 # IP of dedicated link
- Interface eth2
+
+ #
+ # The multicast group that identifies the cluster. If any
+ # doubt, do not modify this value.
+ #
Group 3780
+ #
+ # IP address of the interface that you are going to use to
+ # send the synchronization messages. Remember that you must
+ # use a dedicated link for the synchronization messages.
+ #
+ IPv4_interface 192.168.100.100
+
+ #
+ # The name of the interface that you are going to use to
+ # send the synchronization messages.
+ #
+ Interface eth2
+
# The multicast sender uses a buffer to enqueue the packets
# that are going to be transmitted. The default size of this
# socket buffer is available at /proc/sys/net/core/wmem_default.
@@ -63,14 +85,18 @@ Sync {
# McastRcvSocketBuffer 1249280
}
- # Enable/Disable message checksumming
+ #
+ # Enable/Disable message checksumming. This is a good property to
+ # achieve fault-tolerance. In case of doubt, do not modify this value.
+ #
Checksum on
# If you have a multiprimary setup (active-active) without connection
# persistency, ie. you can't know which firewall handles a packet
# that is part of a connection, then you need direct commit of
# conntrack entries to the kernel conntrack table. OSPF setups must
- # set on this option. Default is Off.
+ # set on this option. If you have a simple primary-backup scenario.
+ # Do not set it on. Default is off.
#
# CacheWriteThrough On
}
@@ -80,7 +106,7 @@ Sync {
#
General {
#
- # Number of buckets in the caches: hash table
+ # Number of buckets in the caches: hash table.
#
HashSize 8192
@@ -94,7 +120,7 @@ General {
# Logfile: on (/var/log/conntrackd.log), off, or a filename
# Default: off
#
- #LogFile on
+ LogFile on
#
# Syslog: on, off or a facility name (daemon (default) or local0..7)
@@ -145,14 +171,16 @@ General {
# Ignore traffic for a certain set of IP's: Usually all the
# IP assigned to the firewall since local traffic must be
# ignored, only forwarded connections are worth to replicate.
+ # Note that these values depends on the local IPs that are
+ # assigned to the firewall.
#
Address Ignore {
IPv4_address 127.0.0.1 # loopback
+ IPv4_address 192.168.0.100 # virtual IP 1
+ IPv4_address 192.168.1.100 # virtual IP 2
IPv4_address 192.168.0.1
IPv4_address 192.168.1.1
IPv4_address 192.168.100.100 # dedicated link ip
- IPv4_address 192.168.0.100 # virtual IP 1
- IPv4_address 192.168.1.100 # virtual IP 2
}
#
diff --git a/doc/sync/alarm/node1/keepalived.conf b/doc/sync/alarm/keepalived.conf
index f937467..f937467 100644
--- a/doc/sync/alarm/node1/keepalived.conf
+++ b/doc/sync/alarm/keepalived.conf
diff --git a/doc/sync/alarm/node2/conntrackd.conf b/doc/sync/alarm/node2/conntrackd.conf
deleted file mode 100644
index 8f7abb2..0000000
--- a/doc/sync/alarm/node2/conntrackd.conf
+++ /dev/null
@@ -1,170 +0,0 @@
-#
-# Synchronizer settings
-#
-Sync {
- Mode ALARM {
- #
- # If a conntrack entry is not modified in <= 15 seconds, then
- # a message is broadcasted. This mechanism is used to
- # resynchronize nodes that just joined the multicast group
- #
- RefreshTime 15
-
- #
- # If we don't receive a notification about the state of
- # an entry in the external cache after N seconds, then
- # remove it.
- #
- CacheTimeout 180
-
- #
- # Entries committed to the connection tracking table
- # starts with a limited timeout of N seconds until the
- # takeover process is completed.
- #
- CommitTimeout 180
- }
-
- #
- # Multicast IP and interface where messages are
- # broadcasted (dedicated link). IMPORTANT: Make sure
- # that iptables accepts traffic for destination
- # 225.0.0.50, eg:
- #
- # iptables -I INPUT -d 225.0.0.50 -j ACCEPT
- # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
- #
- Multicast {
- IPv4_address 225.0.0.50
- IPv4_interface 192.168.100.200 # IP of dedicated link
- Interface eth2
- Group 3780
-
- # The multicast sender uses a buffer to enqueue the packets
- # that are going to be transmitted. The default size of this
- # socket buffer is available at /proc/sys/net/core/wmem_default.
- # This value determines the chances to have an overrun in the
- # sender queue. The overrun results packet loss, thus, losing
- # state information that would have to be retransmitted. If you
- # notice some packet loss, you may want to increase the size
- # of the sender buffer.
- #
- # McastSndSocketBuffer 1249280
-
- # The multicast receiver uses a buffer to enqueue the packets
- # that the socket is pending to handle. The default size of this
- # socket buffer is available at /proc/sys/net/core/rmem_default.
- # This value determines the chances to have an overrun in the
- # receiver queue. The overrun results packet loss, thus, losing
- # state information that would have to be retransmitted. If you
- # notice some packet loss, you may want to increase the size of
- # the receiver buffer.
- #
- # McastRcvSocketBuffer 1249280
- }
-
- # Enable/Disable message checksumming
- Checksum on
-
- # If you have a multiprimary setup (active-active) without connection
- # persistency, ie. you can't know which firewall handles a packet
- # that is part of a connection, then you need direct commit of
- # conntrack entries to the kernel conntrack table. OSPF setups must
- # set on this option. Default is Off.
- #
- # CacheWriteThrough On
-}
-
-#
-# General settings
-#
-General {
- #
- # Number of buckets in the caches: hash table
- #
- HashSize 8192
-
- #
- # Maximum number of conntracks:
- # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
- #
- HashLimit 65535
-
- #
- # Logfile: on (/var/log/conntrackd.log), off, or a filename
- # Default: off
- #
- #LogFile on
-
- #
- # Syslog: on, off or a facility name (daemon (default) or local0..7)
- # Default: off
- #
- #Syslog on
-
- #
- # Lockfile
- #
- LockFile /var/lock/conntrack.lock
-
- #
- # Unix socket configuration
- #
- UNIX {
- Path /tmp/sync.sock
- Backlog 20
- }
-
- #
- # Netlink socket buffer size
- #
- SocketBufferSize 262142
-
- #
- # Increase the socket buffer up to maximum if required
- #
- SocketBufferSizeMaxGrown 655355
-
- #
- # Event filtering: This clause allows you to filter certain traffic,
- # There are currently three filter-sets: Protocol, Address and
- # State. The filter is attached to an action that can be: Accept or
- # Ignore. Thus, you can define the event filtering policy of the
- # filter-sets in positive or negative logic depending on your needs.
- #
- Filter {
- #
- # Accept only certain protocols: You may want to replicate
- # the state of flows depending on their layer 4 protocol.
- #
- Protocol Accept {
- TCP
- }
-
- #
- # Ignore traffic for a certain set of IP's: Usually all the
- # IP assigned to the firewall since local traffic must be
- # ignored, only forwarded connections are worth to replicate.
- #
- Address Ignore {
- IPv4_address 127.0.0.1 # loopback
- IPv4_address 192.168.0.2
- IPv4_address 192.168.1.2
- IPv4_address 192.168.100.200 # dedicated link ip
- IPv4_address 192.168.0.100 # virtual IP 1
- IPv4_address 192.168.1.100 # virtual IP 2
- }
-
- #
- # Uncomment this line below if you want to filter by flow state.
- # This option introduces a trade-off in the replication: it
- # reduces CPU consumption at the cost of having lazy backup
- # firewall replicas. The existing TCP states are: SYN_SENT,
- # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
- # TIME_WAIT, CLOSED, LISTEN.
- #
- # State Accept {
- # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
- # }
- }
-}
diff --git a/doc/sync/alarm/node2/keepalived.conf b/doc/sync/alarm/node2/keepalived.conf
deleted file mode 100644
index f937467..0000000
--- a/doc/sync/alarm/node2/keepalived.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-vrrp_sync_group G1 { # must be before vrrp_instance declaration
- group {
- VI_1
- VI_2
- }
- notify_master /etc/conntrackd/script_master.sh
- notify_backup /etc/conntrackd/script_backup.sh
-# notify_fault /etc/conntrackd/script_fault.sh
-}
-
-vrrp_instance VI_1 {
- interface eth1
- state SLAVE
- virtual_router_id 61
- priority 80
- advert_int 3
- authentication {
- auth_type PASS
- auth_pass papas_con_tomate
- }
- virtual_ipaddress {
- 192.168.0.100 # default CIDR mask is /32
- }
-}
-
-vrrp_instance VI_2 {
- interface eth0
- state SLAVE
- virtual_router_id 62
- priority 80
- advert_int 3
- authentication {
- auth_type PASS
- auth_pass papas_con_tomate
- }
- virtual_ipaddress {
- 192.168.1.100
- }
-}