130 lines
3.1 KiB
Text
130 lines
3.1 KiB
Text
|
#!/bin/sh
|
||
|
|
||
|
{{ ansible_managed | comment }}
|
||
|
|
||
|
#
|
||
|
# (C) 2006-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|
#
|
||
|
# This program is free software; you can redistribute it and/or modify
|
||
|
# it under the terms of the GNU General Public License as published by
|
||
|
# the Free Software Foundation; either version 2 of the License, or
|
||
|
# (at your option) any later version.
|
||
|
#
|
||
|
# Description:
|
||
|
#
|
||
|
# This is the script for primary-backup setups for keepalived
|
||
|
# (http://www.keepalived.org). You may adapt it to make it work with other
|
||
|
# high-availability managers.
|
||
|
#
|
||
|
# Do not forget to include the required modifications to your keepalived.conf
|
||
|
# file to invoke this script during keepalived's state transitions.
|
||
|
#
|
||
|
# Contributions to improve this script are welcome :).
|
||
|
#
|
||
|
|
||
|
CONNTRACKD_BIN=/usr/sbin/conntrackd
|
||
|
CONNTRACKD_LOCK=/var/lock/conntrack.lock
|
||
|
CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
|
||
|
|
||
|
case "$1" in
|
||
|
primary)
|
||
|
#
|
||
|
# commit the external cache into the kernel table
|
||
|
#
|
||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
|
||
|
if [ $? -eq 1 ]
|
||
|
then
|
||
|
logger "ERROR: failed to invoke conntrackd -c"
|
||
|
fi
|
||
|
|
||
|
#
|
||
|
# flush the internal and the external caches
|
||
|
#
|
||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f
|
||
|
if [ $? -eq 1 ]
|
||
|
then
|
||
|
logger "ERROR: failed to invoke conntrackd -f"
|
||
|
fi
|
||
|
|
||
|
#
|
||
|
# resynchronize my internal cache to the kernel table
|
||
|
#
|
||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
|
||
|
if [ $? -eq 1 ]
|
||
|
then
|
||
|
logger "ERROR: failed to invoke conntrackd -R"
|
||
|
fi
|
||
|
|
||
|
#
|
||
|
# send a bulk update to backups
|
||
|
#
|
||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B
|
||
|
if [ $? -eq 1 ]
|
||
|
then
|
||
|
logger "ERROR: failed to invoke conntrackd -B"
|
||
|
fi
|
||
|
;;
|
||
|
backup)
|
||
|
#
|
||
|
# is conntrackd running? request some statistics to check it
|
||
|
#
|
||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
|
||
|
if [ $? -eq 1 ]
|
||
|
then
|
||
|
#
|
||
|
# something's wrong, do we have a lock file?
|
||
|
#
|
||
|
if [ -f $CONNTRACKD_LOCK ]
|
||
|
then
|
||
|
logger "WARNING: conntrackd was not cleanly stopped."
|
||
|
logger "If you suspect that it has crashed:"
|
||
|
logger "1) Enable coredumps"
|
||
|
logger "2) Try to reproduce the problem"
|
||
|
logger "3) Post the coredump to netfilter-devel@vger.kernel.org"
|
||
|
rm -f $CONNTRACKD_LOCK
|
||
|
fi
|
||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
|
||
|
if [ $? -eq 1 ]
|
||
|
then
|
||
|
logger "ERROR: cannot launch conntrackd"
|
||
|
exit 1
|
||
|
fi
|
||
|
fi
|
||
|
#
|
||
|
# shorten kernel conntrack timers to remove the zombie entries.
|
||
|
#
|
||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
|
||
|
if [ $? -eq 1 ]
|
||
|
then
|
||
|
logger "ERROR: failed to invoke conntrackd -t"
|
||
|
fi
|
||
|
|
||
|
#
|
||
|
# request resynchronization with master firewall replica (if any)
|
||
|
# Note: this does nothing in the alarm approach.
|
||
|
#
|
||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
|
||
|
if [ $? -eq 1 ]
|
||
|
then
|
||
|
logger "ERROR: failed to invoke conntrackd -n"
|
||
|
fi
|
||
|
;;
|
||
|
fault)
|
||
|
#
|
||
|
# shorten kernel conntrack timers to remove the zombie entries.
|
||
|
#
|
||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
|
||
|
if [ $? -eq 1 ]
|
||
|
then
|
||
|
logger "ERROR: failed to invoke conntrackd -t"
|
||
|
fi
|
||
|
;;
|
||
|
*)
|
||
|
logger "ERROR: unknown state transition"
|
||
|
echo "Usage: $0 {primary|backup|fault}"
|
||
|
exit 1
|
||
|
;;
|
||
|
esac
|
||
|
|
||
|
exit 0
|