1OCF_HEARTBEAT_PORTBL(7)       OCF resource agents      OCF_HEARTBEAT_PORTBL(7)
2
3
4

NAME

6       ocf_heartbeat_portblock - Block and unblocks access to TCP and UDP
7       ports
8

SYNOPSIS

10       portblock [start | stop | status | monitor | meta-data | validate-all]
11

DESCRIPTION

13       Resource script for portblock. It is used to temporarily block ports
14       using iptables. In addition, it may allow for faster TCP reconnects for
15       clients on failover. Use that if there are long lived TCP connections
16       to an HA service. This feature is enabled by setting the tickle_dir
17       parameter and only in concert with action set to unblock. Note that the
18       tickle ACK function is new as of version 3.0.2 and hasn't yet seen
19       widespread use.
20

SUPPORTED PARAMETERS

22       protocol
23           The protocol used to be blocked/unblocked.
24
25           (required, string, no default)
26
27       portno
28           The port number used to be blocked/unblocked.
29
30           (required, string, no default)
31
32       action
33           The action (block/unblock) to be done on the protocol::portno.
34
35           (required, string, no default)
36
37       reset_local_on_unblock_stop
38           If for some reason the long lived server side TCP sessions won't be
39           cleaned up by a reconfiguration/flush/stop of whatever services
40           this portblock protects, they would linger in the connection table,
41           even after the IP is gone and services have been switched over to
42           another node.
43
44           An example would be the default NFS kernel server.
45
46           These "known" connections may seriously confuse and delay a later
47           switchback.
48
49           Enabling this option will cause this agent to try to get rid of
50           these connections by injecting a temporary iptables rule to
51           TCP-reset outgoing packets from the blocked ports, and additionally
52           tickle them locally, just before it starts to DROP incoming packets
53           on "unblock stop".
54
55           (optional, boolean, default false)
56
57       ip
58           The IP address used to be blocked/unblocked.
59
60           (optional, string, default "0.0.0.0/0")
61
62       tickle_dir
63           The shared or local directory (_must_ be absolute path) which
64           stores the established TCP connections.
65
66           (optional, string, no default)
67
68       sync_script
69           If the tickle_dir is a local directory, then the TCP connection
70           state file has to be replicated to other nodes in the cluster. It
71           can be csync2 (default), some wrapper of rsync, or whatever. It
72           takes the file name as a single argument. For csync2, set it to
73           "csync2 -xv".
74
75           (optional, string, no default)
76
77       direction
78           Whether to block incoming or outgoing traffic. Can be either "in",
79           "out", or "both". If "in" is used, the incoming ports are blocked
80           on the INPUT chain. If "out" is used, the outgoing ports are
81           blocked on the OUTPUT chain. If "both" is used, both the incoming
82           and outgoing ports are blocked.
83
84           (optional, string, default "in")
85

SUPPORTED ACTIONS

87       This resource agent supports the following actions (operations):
88
89       start
90           Starts the resource. Suggested minimum timeout: 20s.
91
92       stop
93           Stops the resource. Suggested minimum timeout: 20s.
94
95       status
96           Performs a status check. Suggested minimum timeout: 10s. Suggested
97           interval: 10s.
98
99       monitor
100           Performs a detailed status check. Suggested minimum timeout: 10s.
101           Suggested interval: 10s.
102
103       meta-data
104           Retrieves resource agent metadata (internal use only). Suggested
105           minimum timeout: 5s.
106
107       validate-all
108           Performs a validation of the resource configuration. Suggested
109           minimum timeout: 5s.
110

EXAMPLE CRM SHELL

112       The following is an example configuration for a portblock resource
113       using the crm(8) shell:
114
115           primitive p_portblock ocf:heartbeat:portblock \
116             params \
117               protocol=string \
118               portno=string \
119               action=string \
120             op monitor depth="0" timeout="10s" interval="10s"
121

EXAMPLE PCS

123       The following is an example configuration for a portblock resource
124       using pcs(8)
125
126           pcs resource create p_portblock ocf:heartbeat:portblock \
127             protocol=string \
128             portno=string \
129             action=string \
130             op monitor OCF_CHECK_LEVEL="0" timeout="10s" interval="10s"
131

SEE ALSO

133       http://clusterlabs.org/
134

AUTHOR

136       ClusterLabs contributors (see the resource agent source for information
137       about individual authors)
138
139
140
141resource-agents UNKNOWN           10/11/2023           OCF_HEARTBEAT_PORTBL(7)
Impressum