mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-03 03:59:16 +01:00
Add LSM to Multi-ISP doc
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9523 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
af24d35973
commit
140d23b389
@ -1075,49 +1075,55 @@ shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional<
|
|||||||
- - shorewall 11999</programlisting></para>
|
- - shorewall 11999</programlisting></para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="swping">
|
<section id="LinkMonitor">
|
||||||
<title>Gateway Monitoring and Failover</title>
|
<title>Gateway Monitoring and Failover</title>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.2.6, Shorewall includes a sample
|
<para>There are a couple of options available for monitoring the status
|
||||||
monitoring script <filename>swping</filename>. The
|
of provider links and taking action when a failure occurs.</para>
|
||||||
<filename>swping</filename> file is available in the main directory
|
|
||||||
contained in the Shorewall-common tarball and is included in the
|
|
||||||
Shorewall-common documentation directory on the Shorewall-common RPM.
|
|
||||||
The script is inspired by Angsuman Chakraborty's <ulink
|
|
||||||
url="http://blog.taragana.com/index.php/archive/how-to-load-balancing-failover-with-dual-multi-wan-adsl-cable-connections-on-linux/">gwping</ulink>
|
|
||||||
script.</para>
|
|
||||||
|
|
||||||
<para>For those not on 4.2.6 yet, the script may be downloaded from
|
<section id="swping">
|
||||||
<ulink
|
<title>SWPING</title>
|
||||||
url="http://www.shorewall.net/pub/shorewall/contrib/MultiISP-failover/">http://www.shorewall.net/pub/shorewall/contrib/MultiISP-failover/</ulink>.</para>
|
|
||||||
|
|
||||||
<important>
|
<para>Beginning with Shorewall 4.2.6, Shorewall includes a sample
|
||||||
<para>These samples are offered <emphasis>as is</emphasis> — they work
|
monitoring script <filename>swping</filename>. The
|
||||||
for me but I don't make any claim that they will work for anyone else.
|
<filename>swping</filename> file is available in the main directory
|
||||||
But if you have a need for automated link monitoring, they offer you a
|
contained in the Shorewall-common tarball and is included in the
|
||||||
place to start.</para>
|
Shorewall-common documentation directory on the Shorewall-common RPM.
|
||||||
</important>
|
The script is inspired by Angsuman Chakraborty's <ulink
|
||||||
|
url="http://blog.taragana.com/index.php/archive/how-to-load-balancing-failover-with-dual-multi-wan-adsl-cable-connections-on-linux/">gwping</ulink>
|
||||||
|
script.</para>
|
||||||
|
|
||||||
<para>The script should be copied to a directory on root's PATH such as
|
<para>For those not on 4.2.6 yet, the script may be downloaded from
|
||||||
<filename>/usr/local/sbin/</filename>.</para>
|
<ulink
|
||||||
|
url="http://www.shorewall.net/pub/shorewall/contrib/MultiISP-failover/">http://www.shorewall.net/pub/shorewall/contrib/MultiISP-failover/</ulink>.</para>
|
||||||
|
|
||||||
<para>The script works by sending pings to <emphasis>target</emphasis>
|
<important>
|
||||||
IP addresses through each external interface. These targets must not
|
<para>These samples are offered <emphasis>as is</emphasis> — they
|
||||||
depend on any routes other than those that are present in the main
|
work for me but I don't make any claim that they will work for
|
||||||
routing table. That ensures that a route is available to the target even
|
anyone else. But if you have a need for automated link monitoring,
|
||||||
when the target's interface is not working and Shorewall has omitted it
|
they offer you a place to start.</para>
|
||||||
from the routing configuration. An interface is assumed to be
|
</important>
|
||||||
<firstterm>up</firstterm> when a specified number (UP_COUNT) of
|
|
||||||
consecutive ping operations succeed. Similarly, an interface is assumed
|
|
||||||
to be <firstterm>down</firstterm> when a specified number (DOWN_COUNT)
|
|
||||||
of consecutive ping operations fail. You can specify the interval
|
|
||||||
between pings (PING_INTERVAL).</para>
|
|
||||||
|
|
||||||
<para>The script monitors two interfaces but it is a trivial exercise to
|
<para>The script should be copied to a directory on root's PATH such
|
||||||
extend it to more than two. At the top are a number of variables to
|
as <filename>/usr/local/sbin/</filename>.</para>
|
||||||
set:</para>
|
|
||||||
|
|
||||||
<programlisting>#
|
<para>The script works by sending pings to <emphasis>target</emphasis>
|
||||||
|
IP addresses through each external interface. These targets must not
|
||||||
|
depend on any routes other than those that are present in the main
|
||||||
|
routing table. That ensures that a route is available to the target
|
||||||
|
even when the target's interface is not working and Shorewall has
|
||||||
|
omitted it from the routing configuration. An interface is assumed to
|
||||||
|
be <firstterm>up</firstterm> when a specified number (UP_COUNT) of
|
||||||
|
consecutive ping operations succeed. Similarly, an interface is
|
||||||
|
assumed to be <firstterm>down</firstterm> when a specified number
|
||||||
|
(DOWN_COUNT) of consecutive ping operations fail. You can specify the
|
||||||
|
interval between pings (PING_INTERVAL).</para>
|
||||||
|
|
||||||
|
<para>The script monitors two interfaces but it is a trivial exercise
|
||||||
|
to extend it to more than two. At the top are a number of variables to
|
||||||
|
set:</para>
|
||||||
|
|
||||||
|
<programlisting>#
|
||||||
# IP family -- 4 or 6
|
# IP family -- 4 or 6
|
||||||
#
|
#
|
||||||
FAMILY=4
|
FAMILY=4
|
||||||
@ -1157,34 +1163,34 @@ UP_COUNT=5
|
|||||||
#
|
#
|
||||||
DOWN_COUNT=2</programlisting>
|
DOWN_COUNT=2</programlisting>
|
||||||
|
|
||||||
<para>If you leave COMMAND empty, the script sets its value
|
<para>If you leave COMMAND empty, the script sets its value
|
||||||
automatically depending on whether Shorewall-lite is installed.</para>
|
automatically depending on whether Shorewall-lite is installed.</para>
|
||||||
|
|
||||||
<para>When the status of an interface changes:</para>
|
<para>When the status of an interface changes:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>For each interface, a file is placed in /etc/shorewall to
|
<para>For each interface, a file is placed in /etc/shorewall to
|
||||||
record the status of the interface: either 0 (UP) or 1 (DOWN). The
|
record the status of the interface: either 0 (UP) or 1 (DOWN). The
|
||||||
name of the file is
|
name of the file is
|
||||||
<filename><replaceable>interface</replaceable>.status</filename>
|
<filename><replaceable>interface</replaceable>.status</filename>
|
||||||
where <replaceable>interface</replaceable> is the interface (e.g.,
|
where <replaceable>interface</replaceable> is the interface (e.g.,
|
||||||
<filename>eth0.status</filename>).</para>
|
<filename>eth0.status</filename>).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>A <command>shorewall -f restart</command> command is executed
|
<para>A <command>shorewall -f restart</command> command is
|
||||||
(<command>shorewall-lite restart</command>, if Shorewall-lite is
|
executed (<command>shorewall-lite restart</command>, if
|
||||||
installed).</para>
|
Shorewall-lite is installed).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The contents of the main routing table are displayed.</para>
|
<para>The contents of the main routing table are displayed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>The .status files are intended to be used with the following
|
<para>The .status files are intended to be used with the following
|
||||||
<filename>/etc/shorewall/isusable</filename> script.<programlisting>local status=0
|
<filename>/etc/shorewall/isusable</filename> script.<programlisting>local status=0
|
||||||
|
|
||||||
case $1 in
|
case $1 in
|
||||||
<emphasis role="bold">eth0|eth1</emphasis>)
|
<emphasis role="bold">eth0|eth1</emphasis>)
|
||||||
@ -1194,65 +1200,211 @@ esac
|
|||||||
|
|
||||||
return $status</programlisting></para>
|
return $status</programlisting></para>
|
||||||
|
|
||||||
<para>Be sure that you modify the interface names to match your
|
<para>Be sure that you modify the interface names to match your
|
||||||
configuration.</para>
|
configuration.</para>
|
||||||
|
|
||||||
<para>Also included is a sample init script
|
<para>Also included is a sample init script
|
||||||
(<filename>swping.init</filename>) to start the monitoring daemon. Copy
|
(<filename>swping.init</filename>) to start the monitoring daemon.
|
||||||
it to<filename> /etc/init.d/swping</filename> and use your
|
Copy it to<filename> /etc/init.d/swping</filename> and use your
|
||||||
distribution's SysV init tools to cause it to be run at boot. It works
|
distribution's SysV init tools to cause it to be run at boot. It works
|
||||||
on <trademark>OpenSuSE</trademark> 11.0 -- YMMV. Modify the PROG and
|
on <trademark>OpenSuSE</trademark> 11.0 -- YMMV. Modify the PROG and
|
||||||
STATEDIR variables as needed.</para>
|
STATEDIR variables as needed.</para>
|
||||||
|
|
||||||
<para>As an alternative to using the init script, you can add the
|
<para>As an alternative to using the init script, you can add the
|
||||||
following to <filename>/etc/shorewall/started</filename>:</para>
|
following to <filename>/etc/shorewall/started</filename>:</para>
|
||||||
|
|
||||||
<programlisting>if [ "$COMMAND" = start ]; then
|
<programlisting>if [ "$COMMAND" = start ]; then
|
||||||
killall -9 swping 2> /dev/null #be sure that there are none left running
|
killall -9 swping 2> /dev/null #be sure that there are none left running
|
||||||
/usr/local/sbin/swping &
|
/usr/local/sbin/swping &
|
||||||
fi</programlisting>
|
fi</programlisting>
|
||||||
|
|
||||||
<para>and add this to
|
<para>and add this to
|
||||||
<filename>/etc/shorewall/stopped</filename>.</para>
|
<filename>/etc/shorewall/stopped</filename>.</para>
|
||||||
|
|
||||||
<para><programlisting>if [ "$COMMAND" = stop -o "$COMMAND" = clear ]; then
|
<para><programlisting>if [ "$COMMAND" = stop -o "$COMMAND" = clear ]; then
|
||||||
killall -9 swping 2> /dev/null
|
killall -9 swping 2> /dev/null
|
||||||
fi</programlisting></para>
|
fi</programlisting></para>
|
||||||
|
|
||||||
<para>This simple script has a number of limitations:</para>
|
<para>This simple script has a number of limitations:</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>It only works on IPv4 or IPv6 but not both at once. So if you
|
<para>It only works on IPv4 or IPv6 but not both at once. So if
|
||||||
want to monitor both IPv4 and IPv6, you need to clone the script are
|
you want to monitor both IPv4 and IPv6, you need to clone the
|
||||||
run two copies; one for IPv4 and one for IPv6.</para>
|
script are run two copies; one for IPv4 and one for IPv6.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>It can only detect the gateway for interfaces managed by
|
<para>It can only detect the gateway for interfaces managed by
|
||||||
dhcpcd.</para>
|
dhcpcd.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>It's method of determining whether an interface is up or down
|
<para>It's method of determining whether an interface is up or
|
||||||
is crude. You will normally specify the default gateway for each
|
down is crude. You will normally specify the default gateway for
|
||||||
provider as the sites to ping and being able to ping the default
|
each provider as the sites to ping and being able to ping the
|
||||||
gateway is not a surefire indication that the provider is usable.
|
default gateway is not a surefire indication that the provider is
|
||||||
The method of determining whether a site is up or down is also
|
usable. The method of determining whether a site is up or down is
|
||||||
crude.</para>
|
also crude.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Because of the crudeness of the algorithm, hysteresis may
|
<para>Because of the crudeness of the algorithm, hysteresis may
|
||||||
occur.</para>
|
occur.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>It is tricky to configure a system such that the system works
|
<para>It is tricky to configure a system such that the system
|
||||||
correctly when one of its providers is down unless you largely don't
|
works correctly when one of its providers is down unless you
|
||||||
care which interface is used.</para>
|
largely don't care which interface is used.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section id="lsm">
|
||||||
|
<title>Link Status Monitor (LSM)</title>
|
||||||
|
|
||||||
|
<para><ulink url="http://lsm.foobar.fi/">Link Status Monitor</ulink>
|
||||||
|
was written by Mika Ilmaranta <ilmis at nullnet.fi> and performs
|
||||||
|
more sophisticated monitoring than the simple swping script described
|
||||||
|
in the preceding section.</para>
|
||||||
|
|
||||||
|
<para>I personally use LSM here at shorewall.net. Here are my relevant
|
||||||
|
configuration files:</para>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/isusable</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>local status
|
||||||
|
status=0
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
eth0|eth3)
|
||||||
|
[ -f /etc/shorewall/${1}.status ] && status=$(cat /etc/shorewall/${1}.status)
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
return $status</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/started</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>###############################################################################
|
||||||
|
# My 'restored' script calls this one if there is no lsm process running
|
||||||
|
###############################################################################
|
||||||
|
if [ "$COMMAND" = start -o "$COMMAND" = restore ]; then
|
||||||
|
killproc lsm 2> /dev/null
|
||||||
|
cat <<EOF > /etc/lsm/shorewall.conf
|
||||||
|
connection {
|
||||||
|
name=Avvanta
|
||||||
|
checkip=206.124.146.254
|
||||||
|
device=eth0
|
||||||
|
ttl=2
|
||||||
|
}
|
||||||
|
|
||||||
|
connection {
|
||||||
|
name=Comcast
|
||||||
|
checkip=$ETH3_GATEWAY
|
||||||
|
device=eth3
|
||||||
|
ttl=1
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
rm -f /etc/shorewall/*.status
|
||||||
|
/usr/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsm
|
||||||
|
fi</programlisting>
|
||||||
|
|
||||||
|
<para>eth3 has a dynamic IP address so I need to use the
|
||||||
|
Shorewall-detected gateway address ($ETH3_GATEWAY).</para>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/restored</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
|
||||||
|
run_started_exit
|
||||||
|
fi</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/lsm/lsm.conf</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#
|
||||||
|
# Defaults for the connection entries
|
||||||
|
#
|
||||||
|
defaults {
|
||||||
|
name=defaults
|
||||||
|
checkip=127.0.0.1
|
||||||
|
eventscript=/etc/lsm/script
|
||||||
|
max_packet_loss=20
|
||||||
|
max_successive_pkts_lost=7
|
||||||
|
min_packet_loss=5
|
||||||
|
min_successive_pkts_rcvd=10
|
||||||
|
interval_ms=2000
|
||||||
|
timeout_ms=2000
|
||||||
|
warn_email=teastep@shorewall.net
|
||||||
|
check_arp=0
|
||||||
|
sourceip=
|
||||||
|
device=eth0
|
||||||
|
ttl=64
|
||||||
|
}
|
||||||
|
|
||||||
|
include /etc/lsm/shorewall.conf</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/lsm/script</filename><programlisting>#!/bin/sh
|
||||||
|
#
|
||||||
|
# (C) 2009 Mika Ilmaranta <ilmis@nullnet.fi>
|
||||||
|
# (C) 2009 Tom Eastep <teastep@shorewall.net>
|
||||||
|
#
|
||||||
|
# License: GPLv2
|
||||||
|
#
|
||||||
|
|
||||||
|
STATE=${1}
|
||||||
|
NAME=${2}
|
||||||
|
CHECKIP=${3}
|
||||||
|
DEVICE=${4}
|
||||||
|
WARN_EMAIL=${5}
|
||||||
|
REPLIED=${6}
|
||||||
|
WAITING=${7}
|
||||||
|
TIMEOUT=${8}
|
||||||
|
REPLY_LATE=${9}
|
||||||
|
CONS_RCVD=${10}
|
||||||
|
CONS_WAIT=${11}
|
||||||
|
CONS_MISS=${12}
|
||||||
|
AVG_RTT=${13}
|
||||||
|
|
||||||
|
cat <<EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
|
||||||
|
|
||||||
|
Hi,
|
||||||
|
|
||||||
|
Connection ${NAME} is now ${STATE}.
|
||||||
|
|
||||||
|
Following parameters were passed:
|
||||||
|
newstate = ${STATE}
|
||||||
|
name = ${NAME}
|
||||||
|
checkip = ${CHECKIP}
|
||||||
|
device = ${DEVICE}
|
||||||
|
warn_email = ${WARN_EMAIL}
|
||||||
|
|
||||||
|
Packet counters:
|
||||||
|
replied = ${REPLIED} packets replied
|
||||||
|
waiting = ${WAITING} packets waiting for reply
|
||||||
|
timeout = ${TIMEOUT} packets that have timed out (= packet loss)
|
||||||
|
reply_late = ${REPLY_LATE} packets that received a reply after timeout
|
||||||
|
cons_rcvd = ${CONS_RCVD} consecutively received replies in sequence
|
||||||
|
cons_wait = ${CONS_WAIT} consecutive packets waiting for reply
|
||||||
|
cons_miss = ${CONS_MISS} consecutive packets that have timed out
|
||||||
|
avg_rtt = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
|
||||||
|
|
||||||
|
Your LSM Daemon
|
||||||
|
|
||||||
|
EOM
|
||||||
|
|
||||||
|
[ ${STATE} = up ] && state=0 || state=1
|
||||||
|
|
||||||
|
echo $state > /etc/shorewall/${DEVICE}.status
|
||||||
|
|
||||||
|
/sbin/shorewall -f restart >> /var/log/lsm 2>&1
|
||||||
|
|
||||||
|
/sbin/shorewall show routing >> /var/log/lsm
|
||||||
|
|
||||||
|
exit 0;
|
||||||
|
|
||||||
|
#EOF</programlisting>:</para>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Shared">
|
<section id="Shared">
|
||||||
|
Loading…
Reference in New Issue
Block a user