diff options
Diffstat (limited to 'doc/sync/alarm')
-rw-r--r-- | doc/sync/alarm/conntrackd.conf (renamed from doc/sync/alarm/node1/conntrackd.conf) | 44 | ||||
-rw-r--r-- | doc/sync/alarm/keepalived.conf (renamed from doc/sync/alarm/node1/keepalived.conf) | 0 | ||||
-rw-r--r-- | doc/sync/alarm/node2/conntrackd.conf | 170 | ||||
-rw-r--r-- | doc/sync/alarm/node2/keepalived.conf | 39 |
4 files changed, 36 insertions, 217 deletions
diff --git a/doc/sync/alarm/node1/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index ffd6b4a..a65a378 100644 --- a/doc/sync/alarm/node1/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -35,11 +35,33 @@ Sync { # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT # Multicast { + # + # Multicast address: The address that you use as destination + # in the synchronization messages. You do not have to add + # this IP to any of your existing interfaces. If any doubt, + # do not modify this value. + # IPv4_address 225.0.0.50 - IPv4_interface 192.168.100.100 # IP of dedicated link - Interface eth2 + + # + # The multicast group that identifies the cluster. If any + # doubt, do not modify this value. + # Group 3780 + # + # IP address of the interface that you are going to use to + # send the synchronization messages. Remember that you must + # use a dedicated link for the synchronization messages. + # + IPv4_interface 192.168.100.100 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + Interface eth2 + # The multicast sender uses a buffer to enqueue the packets # that are going to be transmitted. The default size of this # socket buffer is available at /proc/sys/net/core/wmem_default. @@ -63,14 +85,18 @@ Sync { # McastRcvSocketBuffer 1249280 } - # Enable/Disable message checksumming + # + # Enable/Disable message checksumming. This is a good property to + # achieve fault-tolerance. In case of doubt, do not modify this value. + # Checksum on # If you have a multiprimary setup (active-active) without connection # persistency, ie. you can't know which firewall handles a packet # that is part of a connection, then you need direct commit of # conntrack entries to the kernel conntrack table. OSPF setups must - # set on this option. Default is Off. + # set on this option. If you have a simple primary-backup scenario. + # Do not set it on. Default is off. # # CacheWriteThrough On } @@ -80,7 +106,7 @@ Sync { # General { # - # Number of buckets in the caches: hash table + # Number of buckets in the caches: hash table. # HashSize 8192 @@ -94,7 +120,7 @@ General { # Logfile: on (/var/log/conntrackd.log), off, or a filename # Default: off # - #LogFile on + LogFile on # # Syslog: on, off or a facility name (daemon (default) or local0..7) @@ -145,14 +171,16 @@ General { # Ignore traffic for a certain set of IP's: Usually all the # IP assigned to the firewall since local traffic must be # ignored, only forwarded connections are worth to replicate. + # Note that these values depends on the local IPs that are + # assigned to the firewall. # Address Ignore { IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 IPv4_address 192.168.0.1 IPv4_address 192.168.1.1 IPv4_address 192.168.100.100 # dedicated link ip - IPv4_address 192.168.0.100 # virtual IP 1 - IPv4_address 192.168.1.100 # virtual IP 2 } # diff --git a/doc/sync/alarm/node1/keepalived.conf b/doc/sync/alarm/keepalived.conf index f937467..f937467 100644 --- a/doc/sync/alarm/node1/keepalived.conf +++ b/doc/sync/alarm/keepalived.conf diff --git a/doc/sync/alarm/node2/conntrackd.conf b/doc/sync/alarm/node2/conntrackd.conf deleted file mode 100644 index 8f7abb2..0000000 --- a/doc/sync/alarm/node2/conntrackd.conf +++ /dev/null @@ -1,170 +0,0 @@ -# -# Synchronizer settings -# -Sync { - Mode ALARM { - # - # If a conntrack entry is not modified in <= 15 seconds, then - # a message is broadcasted. This mechanism is used to - # resynchronize nodes that just joined the multicast group - # - RefreshTime 15 - - # - # If we don't receive a notification about the state of - # an entry in the external cache after N seconds, then - # remove it. - # - CacheTimeout 180 - - # - # Entries committed to the connection tracking table - # starts with a limited timeout of N seconds until the - # takeover process is completed. - # - CommitTimeout 180 - } - - # - # Multicast IP and interface where messages are - # broadcasted (dedicated link). IMPORTANT: Make sure - # that iptables accepts traffic for destination - # 225.0.0.50, eg: - # - # iptables -I INPUT -d 225.0.0.50 -j ACCEPT - # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT - # - Multicast { - IPv4_address 225.0.0.50 - IPv4_interface 192.168.100.200 # IP of dedicated link - Interface eth2 - Group 3780 - - # The multicast sender uses a buffer to enqueue the packets - # that are going to be transmitted. The default size of this - # socket buffer is available at /proc/sys/net/core/wmem_default. - # This value determines the chances to have an overrun in the - # sender queue. The overrun results packet loss, thus, losing - # state information that would have to be retransmitted. If you - # notice some packet loss, you may want to increase the size - # of the sender buffer. - # - # McastSndSocketBuffer 1249280 - - # The multicast receiver uses a buffer to enqueue the packets - # that the socket is pending to handle. The default size of this - # socket buffer is available at /proc/sys/net/core/rmem_default. - # This value determines the chances to have an overrun in the - # receiver queue. The overrun results packet loss, thus, losing - # state information that would have to be retransmitted. If you - # notice some packet loss, you may want to increase the size of - # the receiver buffer. - # - # McastRcvSocketBuffer 1249280 - } - - # Enable/Disable message checksumming - Checksum on - - # If you have a multiprimary setup (active-active) without connection - # persistency, ie. you can't know which firewall handles a packet - # that is part of a connection, then you need direct commit of - # conntrack entries to the kernel conntrack table. OSPF setups must - # set on this option. Default is Off. - # - # CacheWriteThrough On -} - -# -# General settings -# -General { - # - # Number of buckets in the caches: hash table - # - HashSize 8192 - - # - # Maximum number of conntracks: - # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max - # - HashLimit 65535 - - # - # Logfile: on (/var/log/conntrackd.log), off, or a filename - # Default: off - # - #LogFile on - - # - # Syslog: on, off or a facility name (daemon (default) or local0..7) - # Default: off - # - #Syslog on - - # - # Lockfile - # - LockFile /var/lock/conntrack.lock - - # - # Unix socket configuration - # - UNIX { - Path /tmp/sync.sock - Backlog 20 - } - - # - # Netlink socket buffer size - # - SocketBufferSize 262142 - - # - # Increase the socket buffer up to maximum if required - # - SocketBufferSizeMaxGrown 655355 - - # - # Event filtering: This clause allows you to filter certain traffic, - # There are currently three filter-sets: Protocol, Address and - # State. The filter is attached to an action that can be: Accept or - # Ignore. Thus, you can define the event filtering policy of the - # filter-sets in positive or negative logic depending on your needs. - # - Filter { - # - # Accept only certain protocols: You may want to replicate - # the state of flows depending on their layer 4 protocol. - # - Protocol Accept { - TCP - } - - # - # Ignore traffic for a certain set of IP's: Usually all the - # IP assigned to the firewall since local traffic must be - # ignored, only forwarded connections are worth to replicate. - # - Address Ignore { - IPv4_address 127.0.0.1 # loopback - IPv4_address 192.168.0.2 - IPv4_address 192.168.1.2 - IPv4_address 192.168.100.200 # dedicated link ip - IPv4_address 192.168.0.100 # virtual IP 1 - IPv4_address 192.168.1.100 # virtual IP 2 - } - - # - # Uncomment this line below if you want to filter by flow state. - # This option introduces a trade-off in the replication: it - # reduces CPU consumption at the cost of having lazy backup - # firewall replicas. The existing TCP states are: SYN_SENT, - # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, - # TIME_WAIT, CLOSED, LISTEN. - # - # State Accept { - # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP - # } - } -} diff --git a/doc/sync/alarm/node2/keepalived.conf b/doc/sync/alarm/node2/keepalived.conf deleted file mode 100644 index f937467..0000000 --- a/doc/sync/alarm/node2/keepalived.conf +++ /dev/null @@ -1,39 +0,0 @@ -vrrp_sync_group G1 { # must be before vrrp_instance declaration - group { - VI_1 - VI_2 - } - notify_master /etc/conntrackd/script_master.sh - notify_backup /etc/conntrackd/script_backup.sh -# notify_fault /etc/conntrackd/script_fault.sh -} - -vrrp_instance VI_1 { - interface eth1 - state SLAVE - virtual_router_id 61 - priority 80 - advert_int 3 - authentication { - auth_type PASS - auth_pass papas_con_tomate - } - virtual_ipaddress { - 192.168.0.100 # default CIDR mask is /32 - } -} - -vrrp_instance VI_2 { - interface eth0 - state SLAVE - virtual_router_id 62 - priority 80 - advert_int 3 - authentication { - auth_type PASS - auth_pass papas_con_tomate - } - virtual_ipaddress { - 192.168.1.100 - } -} |