1OCF_HEARTBEAT_PORTBL(7) OCF resource agents OCF_HEARTBEAT_PORTBL(7)
2
6 ocf_heartbeat_portblock - Block and unblocks access to TCP and UDP
7 ports
8
10 portblock [start | stop | status | monitor | meta-data | validate-all]
11
13 Resource script for portblock. It is used to temporarily block ports
14 using iptables. In addition, it may allow for faster TCP reconnects for
15 clients on failover. Use that if there are long lived TCP connections
16 to an HA service. This feature is enabled by setting the tickle_dir
17 parameter and only in concert with action set to unblock. Note that the
18 tickle ACK function is new as of version 3.0.2 and hasn't yet seen
19 widespread use.
20
22 protocol
23 The protocol used to be blocked/unblocked.
24 (required, string, no default)
26 portno
28 The port number used to be blocked/unblocked.
29 (required, string, no default)
31 action
33 The action (block/unblock) to be done on the protocol::portno.
34 (required, string, no default)
36 reset_local_on_unblock_stop
38 If for some reason the long lived server side TCP sessions won't be
39 cleaned up by a reconfiguration/flush/stop of whatever services
40 this portblock protects, they would linger in the connection table,
41 even after the IP is gone and services have been switched over to
42 another node.
43 An example would be the default NFS kernel server.
45 These "known" connections may seriously confuse and delay a later
47 switchback.
48 Enabling this option will cause this agent to try to get rid of
50 these connections by injecting a temporary iptables rule to
51 TCP-reset outgoing packets from the blocked ports, and additionally
52 tickle them locally, just before it starts to DROP incoming packets
53 on "unblock stop".
54 (optional, boolean, default false)
56 ip
58 The IP address used to be blocked/unblocked.
59 (optional, string, default "0.0.0.0/0")
61 tickle_dir
63 The shared or local directory (_must_ be absolute path) which
64 stores the established TCP connections.
65 (optional, string, no default)
67 sync_script
69 If the tickle_dir is a local directory, then the TCP connection
70 state file has to be replicated to other nodes in the cluster. It
71 can be csync2 (default), some wrapper of rsync, or whatever. It
72 takes the file name as a single argument. For csync2, set it to
73 "csync2 -xv".
74 (optional, string, no default)
76 direction
78 Whether to block incoming or outgoing traffic. Can be either "in",
79 "out", or "both". If "in" is used, the incoming ports are blocked
80 on the INPUT chain. If "out" is used, the outgoing ports are
81 blocked on the OUTPUT chain. If "both" is used, both the incoming
82 and outgoing ports are blocked.
83 (optional, string, default "in")
85
87 This resource agent supports the following actions (operations):
88 start
90 Starts the resource. Suggested minimum timeout: 20s.
91 stop
93 Stops the resource. Suggested minimum timeout: 20s.
94 status
96 Performs a status check. Suggested minimum timeout: 10s. Suggested
97 interval: 10s.
98 monitor
100 Performs a detailed status check. Suggested minimum timeout: 10s.
101 Suggested interval: 10s.
102 meta-data
104 Retrieves resource agent metadata (internal use only). Suggested
105 minimum timeout: 5s.
106 validate-all
108 Performs a validation of the resource configuration. Suggested
109 minimum timeout: 5s.
110
112 The following is an example configuration for a portblock resource
113 using the crm(8) shell:
114 primitive p_portblock ocf:heartbeat:portblock \
116 params \
117 protocol=string \
118 portno=string \
119 action=string \
120 op monitor depth="0" timeout="10s" interval="10s"
121
123 The following is an example configuration for a portblock resource
124 using pcs(8)
125 pcs resource create p_portblock ocf:heartbeat:portblock \
127 protocol=string \
128 portno=string \
129 action=string \
130 op monitor OCF_CHECK_LEVEL="0" timeout="10s" interval="10s"
131
133 http://clusterlabs.org/
134
136 ClusterLabs contributors (see the resource agent source for information
137 about individual authors)
138resource-agents UNKNOWN 01/25/2023 OCF_HEARTBEAT_PORTBL(7)