#!/bin/sh # # (C) 2008 by Pablo Neira Ayuso <pablo@netfilter.org> # # This software may be used and distributed according to the terms # of the GNU General Public License, incorporated herein by reference. # # Description: # # This is the script for primary-backup setups for keepalived # (http://www.keepalived.org). You may adapt it to make it work with other # high-availability managers. # # Modified by : Mohit Mehta <mohit@vyatta.com> # Slight modifications were made to this script for running with Vyatta # The original script came from 0.9.14 debian conntrack-tools package CONNTRACKD_BIN=/usr/sbin/conntrackd CONNTRACKD_LOCK=/var/lock/conntrack.lock CONNTRACKD_CONFIG=/run/conntrackd/conntrackd.conf FACILITY=daemon LEVEL=notice TAG=conntrack-tools LOGCMD="logger -t $TAG -p $FACILITY.$LEVEL" VRRP_GRP="VRRP sync-group [$2]" FAILOVER_STATE="/var/run/vyatta-conntrackd-failover-state" $LOGCMD "vyos-vrrp-conntracksync invoked at `date`" if ! systemctl is-active --quiet conntrackd.service; then echo "conntrackd service not running" exit 1 fi if [ ! -e $FAILOVER_STATE ]; then mkdir -p /var/run touch $FAILOVER_STATE fi case "$1" in master) echo MASTER at `date` > $FAILOVER_STATE $LOGCMD "`uname -n` transitioning to MASTER state for $VRRP_GRP" # # commit the external cache into the kernel table # $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c if [ $? -eq 1 ] then $LOGCMD "ERROR: failed to invoke conntrackd -c" fi # # commit the expect entries to the kernel # $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c exp if [ $? -eq 1 ] then $LOGCMD "ERROR: failed to invoke conntrackd -ce exp" fi # # flush the internal and the external caches # $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f if [ $? -eq 1 ] then $LOGCMD "ERROR: failed to invoke conntrackd -f" fi # # resynchronize my internal cache to the kernel table # $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R if [ $? -eq 1 ] then $LOGCMD "ERROR: failed to invoke conntrackd -R" fi # # send a bulk update to backups # $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B if [ $? -eq 1 ] then $LOGCMD "ERROR: failed to invoke conntrackd -B" fi ;; backup) echo BACKUP at `date` > $FAILOVER_STATE $LOGCMD "`uname -n` transitioning to BACKUP state for $VRRP_GRP" # # is conntrackd running? request some statistics to check it # $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s if [ $? -eq 1 ] then # # something's wrong, do we have a lock file? # if [ -f $CONNTRACKD_LOCK ] then $LOGCMD "WARNING: conntrackd was not cleanly stopped." $LOGCMD "If you suspect that it has crashed:" $LOGCMD "1) Enable coredumps" $LOGCMD "2) Try to reproduce the problem" $LOGCMD "3) Post the coredump to netfilter-devel@vger.kernel.org" rm -f $CONNTRACKD_LOCK fi $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d if [ $? -eq 1 ] then $LOGCMD "ERROR: cannot launch conntrackd" exit 1 fi fi # # shorten kernel conntrack timers to remove the zombie entries. # $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t if [ $? -eq 1 ] then $LOGCMD "ERROR: failed to invoke conntrackd -t" fi # # request resynchronization with master firewall replica (if any) # Note: this does nothing in the alarm approach. # $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n if [ $? -eq 1 ] then $LOGCMD "ERROR: failed to invoke conntrackd -n" fi ;; fault) echo FAULT at `date` > $FAILOVER_STATE $LOGCMD "`uname -n` transitioning to FAULT state for $VRRP_GRP" # # shorten kernel conntrack timers to remove the zombie entries. # $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t if [ $? -eq 1 ] then $LOGCMD "ERROR: failed to invoke conntrackd -t" fi ;; *) echo UNKNOWN at `date` > $FAILOVER_STATE $LOGCMD "ERROR: `uname -n` unknown state transition for $VRRP_GRP" echo "Usage: vyos-vrrp-conntracksync.sh {master|backup|fault}" exit 1 ;; esac exit 0