[conntrack-tools] doc: add bulk update to primary-script.sh script
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Sun Feb 15 18:48:31 CET 2009
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=1606369707325e2f68ffe225917d7ea637ddb9de
commit 1606369707325e2f68ffe225917d7ea637ddb9de
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Feb 15 18:47:50 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Feb 15 18:47:50 2009 +0100
doc: add bulk update to primary-script.sh script
This patch updates the script to remark the fact that it should be
used with Linux kernel < 2.6.29. Moreover, it adds a bulk-update
command after the commit in the primary path to avoid any race
condition (the backup may request a resync while this primary
is still committing the entries with an empty internal cache).
This is hackish, but I think that this is the best way to do this
for systems running a Linux kernel < 2.6.29.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit ca6fa387c80e9fdccace3091317d32a59dab7400
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Feb 15 18:46:08 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Feb 15 18:46:08 2009 +0100
doc: add new primary-backup.sh script for >= 2.6.29
This patch adds a new primary-backup.sh script for Linux kernels
>= 2.6.29. This script takes advantage of the user-space event
reporting that ctnetlink does since this kernel version.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via 1606369707325e2f68ffe225917d7ea637ddb9de (commit)
via ca6fa387c80e9fdccace3091317d32a59dab7400 (commit)
from 9541aef846b808a43b6e32b9ec3a41fa6d87d36f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1606369707325e2f68ffe225917d7ea637ddb9de
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Feb 15 18:47:50 2009 +0100
doc: add bulk update to primary-script.sh script
This patch updates the script to remark the fact that it should be
used with Linux kernel < 2.6.29. Moreover, it adds a bulk-update
command after the commit in the primary path to avoid any race
condition (the backup may request a resync while this primary
is still committing the entries with an empty internal cache).
This is hackish, but I think that this is the best way to do this
for systems running a Linux kernel < 2.6.29.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit ca6fa387c80e9fdccace3091317d32a59dab7400
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Feb 15 18:46:08 2009 +0100
doc: add new primary-backup.sh script for >= 2.6.29
This patch adds a new primary-backup.sh script for Linux kernels
>= 2.6.29. This script takes advantage of the user-space event
reporting that ctnetlink does since this kernel version.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
...ckup.sh => primary-backup-2.6.29-and-higher.sh} | 20 +++++++-------------
doc/sync/primary-backup.sh | 11 +++++++++++
2 files changed, 18 insertions(+), 13 deletions(-)
copy doc/sync/{primary-backup.sh => primary-backup-2.6.29-and-higher.sh} (86%)
This patch adds a new primary-backup.sh script for Linux kernels
>= 2.6.29. This script takes advantage of the user-space event
reporting that ctnetlink does since this kernel version.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/doc/sync/primary-backup-2.6.29-and-higher.sh b/doc/sync/primary-backup-2.6.29-and-higher.sh
new file mode 100755
index 0000000..3236c24
--- /dev/null
+++ b/doc/sync/primary-backup-2.6.29-and-higher.sh
@@ -0,0 +1,109 @@
+#!/bin/sh
+#
+# (C) 2008-2009 by Pablo Neira Ayuso <pablo at netfilter.org>
+#
+# This software may be used and distributed according to the terms
+# of the GNU General Public License, incorporated herein by reference.
+#
+# Description:
+#
+# Use this script is you use a Linux kernel >= 2.6.29.
+#
+# This is the script for primary-backup setups for keepalived
+# (http://www.keepalived.org). You may adapt it to make it work with other
+# high-availability managers.
+#
+# Do not forget to include the required modifications to your keepalived.conf
+# file to invoke this script during keepalived's state transitions.
+#
+# Contributions to improve this script are welcome :).
+#
+
+CONNTRACKD_BIN=/usr/sbin/conntrackd
+CONNTRACKD_LOCK=/var/lock/conntrack.lock
+CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
+
+case "$1" in
+ primary)
+ #
+ # commit the external cache into the kernel table
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -c"
+ fi
+
+ #
+ # flush external cache
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f external
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -f external"
+ fi
+ ;;
+
+ backup)
+ #
+ # is conntrackd running? request some statistics to check it
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
+ if [ $? -eq 1 ]
+ then
+ #
+ # something's wrong, do we have a lock file?
+ #
+ if [ -f $CONNTRACKD_LOCK ]
+ then
+ logger "WARNING: conntrackd was not cleanly stopped."
+ logger "If you suspect that it has crashed:"
+ logger "1) Enable coredumps"
+ logger "2) Try to reproduce the problem"
+ logger "3) Post the coredump to netfilter-devel at vger.kernel.org"
+ rm -f $CONNTRACKD_LOCK
+ fi
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: cannot launch conntrackd"
+ exit 1
+ fi
+ fi
+ #
+ # shorten kernel conntrack timers to remove the zombie entries.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -t"
+ fi
+
+ #
+ # request resynchronization with master firewall replica (if any)
+ # Note: this does nothing in the alarm approach.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -n"
+ fi
+ ;;
+ fault)
+ #
+ # shorten kernel conntrack timers to remove the zombie entries.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -t"
+ fi
+ ;;
+ *)
+ logger "ERROR: unknown state transition"
+ echo "Usage: primary-backup.sh {primary|backup|fault}"
+ exit 1
+ ;;
+esac
+
+exit 0
More information about the netfilter-cvslog
mailing list