1OCF_HEARTBEAT_PORTBL(7) OCF resource agents OCF_HEARTBEAT_PORTBL(7)
2
3
4
6 ocf_heartbeat_portblock - Block and unblocks access to TCP and UDP
7 ports
8
10 portblock [start | stop | status | monitor | meta-data | validate-all]
11
13 Resource script for portblock. It is used to temporarily block ports
14 using iptables. In addition, it may allow for faster TCP reconnects for
15 clients on failover. Use that if there are long lived TCP connections
16 to an HA service. This feature is enabled by setting the tickle_dir
17 parameter and only in concert with action set to unblock. Note that the
18 tickle ACK function is new as of version 3.0.2 and hasn´t yet seen
19 widespread use.
20
22 protocol
23 The protocol used to be blocked/unblocked.
24
25 (required, string, no default)
26
27 portno
28 The port number used to be blocked/unblocked.
29
30 (required, string, no default)
31
32 action
33 The action (block/unblock) to be done on the protocol::portno.
34
35 (required, string, no default)
36
37 reset_local_on_unblock_stop
38 If for some reason the long lived server side TCP sessions won´t be
39 cleaned up by a reconfiguration/flush/stop of whatever services
40 this portblock protects, they would linger in the connection table,
41 even after the IP is gone and services have been switched over to
42 an other node.
43
44 An example would be the default NFS kernel server.
45
46 These "known" connections may seriously confuse and delay a later
47 switchback.
48
49 Enabling this option will cause this agent to try to get rid of
50 these connections by injecting a temporary iptables rule to
51 TCP-reset outgoing packets from the blocked ports, and additionally
52 tickle them locally, just before it starts to DROP incoming packets
53 on "unblock stop".
54
55 (optional, boolean, default false)
56
57 ip
58 The IP address used to be blocked/unblocked.
59
60 (optional, string, default "0.0.0.0/0")
61
62 tickle_dir
63 The shared or local directory (_must_ be absolute path) which
64 stores the established TCP connections.
65
66 (optional, string, no default)
67
68 sync_script
69 If the tickle_dir is a local directory, then the TCP connection
70 state file has to be replicated to other nodes in the cluster. It
71 can be csync2 (default), some wrapper of rsync, or whatever. It
72 takes the file name as a single argument. For csync2, set it to
73 "csync2 -xv".
74
75 (optional, string, no default)
76
78 This resource agent supports the following actions (operations):
79
80 start
81 Starts the resource. Suggested minimum timeout: 20.
82
83 stop
84 Stops the resource. Suggested minimum timeout: 20.
85
86 status
87 Performs a status check. Suggested minimum timeout: 10. Suggested
88 interval: 10.
89
90 monitor
91 Performs a detailed status check. Suggested minimum timeout: 10.
92 Suggested interval: 10.
93
94 meta-data
95 Retrieves resource agent metadata (internal use only). Suggested
96 minimum timeout: 5.
97
98 validate-all
99 Performs a validation of the resource configuration. Suggested
100 minimum timeout: 5.
101
103 The following is an example configuration for a portblock resource
104 using the crm(8) shell:
105
106 primitive p_portblock ocf:heartbeat:portblock \
107 params \
108 protocol=string \
109 portno=string \
110 action=string \
111 op monitor depth="0" timeout="10" interval="10"
112
114 http://www.linux-ha.org/wiki/portblock_(resource_agent)
115
117 Linux-HA contributors (see the resource agent source for information
118 about individual authors)
119
120
121
122resource-agents 3.9.2 03/24/2017 OCF_HEARTBEAT_PORTBL(7)