1# $OpenBSD: ifstated.conf,v 1.1 2014/07/11 16:36:35 deraadt Exp $ 2# This is a sample config for a pair of firewalls with two interfaces 3# 4# carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24 5# respectively. 6 7# net.inet.carp.preempt must be enabled (set to 1) for this to work correctly. 8 9# Uncomment one of the following lines to force primary/backup status. 10# init-state primary 11# init-state backup 12 13carp_up = "carp0.link.up && carp1.link.up" 14carp_down = "!carp0.link.up && !carp1.link.up" 15carp_sync = "carp0.link.up && carp1.link.up || \ 16 !carp0.link.up && !carp1.link.up" 17 18# The "net" addresses are other addresses which can be used to determine 19# whether we have connectivity. Make sure the hosts are always up, or 20# test multiple ip's, 'or'-ing the tests. 21net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 && \ 22 "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)' 23 24# The peer addresses below are the real ip addresses of the OTHER firewall 25peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 && \ 26 "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)' 27 28state auto { 29 if $carp_up 30 set-state primary 31 if $carp_down 32 set-state backup 33} 34 35state primary { 36 init { 37 run "ifconfig carp0 advskew 10" 38 run "ifconfig carp1 advskew 10" 39 } 40 if ! $net 41 set-state demoted 42} 43 44state demoted { 45 init { 46 run "ifconfig carp0 advskew 254" 47 run "ifconfig carp1 advskew 254" 48 } 49 if $net 50 set-state primary 51} 52 53state promoted { 54 init { 55 run "ifconfig carp0 advskew 0" 56 run "ifconfig carp1 advskew 0" 57 } 58 if $peer || ! $net 59 set-state backup 60} 61 62state backup { 63 init { 64 run "ifconfig carp0 advskew 100" 65 run "ifconfig carp1 advskew 100" 66 } 67 # The "sleep 5" below is a hack to dampen the $carp_sync when we come 68 # out of promoted state. Thinking about the correct fix... 69 if ! $carp_sync && $net && "sleep 5" every 10 70 if ! $carp_sync && $net 71 set-state promoted 72} 73