Re: CARP cluster: howto keep pf.conf in sync?

Loïc Blot Mon, 28 Jul 2014 05:26:29 -0700

Hi Christoph,
here is my script to sync via rsync.

Please note i split pf.conf into 3 files because each router has local
specificies (some macros).


/etc/pf.conf: not synced
/etc/pf.sync.conf: filter rules
/etc/pf-nat.sync.conf: nat rules

=====================


#! /bin/sh

# VARS
SYNCTRACE_FILE="/tmp/pf.sync.trace"

# CODE
/usr/local/bin/rsync -Hauro
minir...@odyssee.institutoptique.fr:/etc/pf.sync.conf /etc/

SYNCTRACE=$(/bin/sha256 < /etc/pf.sync.conf)

OLDTRACE=""
if [ -f $SYNCTRACE_FILE ]; then
        OLDTRACE=$(/bin/cat $SYNCTRACE_FILE)
fi

if [ "$SYNCTRACE" != "$OLDTRACE" ]; then
        echo "/etc/pf.sync.conf modified"
        /sbin/pfctl -nf /etc/pf.conf
        if [ "$?" -eq "0" ]; then
                /sbin/pfctl -f /etc/pf.conf
                echo "PF Reloaded"
                echo $SYNCTRACE > $SYNCTRACE_FILE
        fi
else
        echo "No PF modification"
fi

# NAT check

# VARS
SYNCTRACE_FILE="/tmp/pf-nat.sync.trace"

# CODE
/usr/local/bin/rsync -Hauro
th...@secondrouter2.lan:/etc/pf-nat.sync.conf /etc/

SYNCTRACE=$(/bin/sha256 < /etc/pf-nat.sync.conf)

OLDTRACE=""
if [ -f $SYNCTRACE_FILE ]; then
        OLDTRACE=$(/bin/cat $SYNCTRACE_FILE)
fi

if [ "$SYNCTRACE" != "$OLDTRACE" ]; then
        echo "/etc/pf-nat.sync.conf modified"
        /sbin/pfctl -nf /etc/pf.conf
        if [ "$?" -eq "0" ]; then
                /sbin/pfctl -f /etc/pf.conf
                echo "PF Reloaded"
                echo $SYNCTRACE > $SYNCTRACE_FILE
        fi
else
        echo "No PF modification"
fi

=======================

-- 
Best regards, 

Loïc BLOT, Engineering
UNIX Systems, Security and Network Engineer
http://www.unix-experience.fr


Le lundi 28 juillet 2014 à 13:50 +0200, Peus, Christoph a écrit :
> Hi all,
> 
> 
> 
> is there a standard or recommended way to keep the pf.conf on the CARP cluster
> members in sync?
> 
> Thanks!
> 
> Regards
> Christoph
> 
> --
> Christoph Peus
> Universitt Witten/Herdecke
> Bereich Informationstechnologie
> Tel:  +49 2302 926-212
> Fax: +49 2302 926-44857
> mailto:christoph.p...@uni-wh.de
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Private Universitt Witten/Herdecke gGmbH
> Alfred-Herrhausen-Strae 50
> D - 58448 Witten
> 
> Homepage: http://www.uni-wh.de
> Twitter: http://twitter.com/UniWH
> Facebook: http://www.facebook.com/UniWH
> 
> Geschftsfhrung: Prof. Dr. Martin Butzlaff (Prsident), Dipl. oec. Jan Peter
> Nonnenkamp (Kanzler)
> 
> Sitz der Gesellschaft: Witten
> Handelsregister des Amtsgerichts Bochum Nr. HRB 8671

Re: CARP cluster: howto keep pf.conf in sync?

Reply via email to