Name

pike — format of pike component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the pike component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in pike configuration directives:

yes-no (see common(5))

ip-version (see common(5))

osi4-proto (see common(5))

time-cond (see common(5))

zip-mode (see common(5))

dbglev (see log(5))

logfail-mode (see log(5))

listen-on-sock (see listen-on(5))

proc-priority (see application(5))

pike-control-type (name-usage obligatory)

tag, cmd

ITEMS AND SECTIONS

Configuration of pike library component consists of following prototypes:


  pikemon { ... }
    

Description:

pikemon {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  udpserver { ... }
  priority ... ;
  status-file ... ;
  hmac ... ;
  devd-socket ... ;
  garp-keepalive ... ;
* virtual-cluster name { ... }
}

        

PIKE Monitoring Daemon configuration.

The pikemon section is derived from alone-application section prototype. For detail description of it, see application(5).

Changes to the pikemon section:

At least one VIRTUAL-CLUSTER must be defined.

HMAC has to be configured.

Added items & subsections:

listen-on {


* socket ... ;
}

            

The listen-on section is derived from listen-on section prototype. For detail description of it, see listen-on(5).

Changes to the listen-on section:

Item non-transparent used as socket.

Item transparent is not valid.

Exactly one address to listen on must be specified.

Item socket (see listen-on(5))

Element proto is optional, default: tcp.

udpserver {


  max-sessions ... ;
}

            

The udpserver section is derived from udpserver section prototype. For detail description of it, see udpserver(5).

priority normal;

priority [realtime] [realtime];

Process priority setting.

<branching element> (type: proc-priority, optional, default: realtime)

realtime (type: uint8, optional, default: 16)

Realtime priority (parameter of rtprio() call).

Accepted values between 0 and 31; 0 is the highest priority.

Constraints:

Priority value must be between 0 and 31.

status-file [name];

File with current cluster status.

name (type: str, optional, default: "/var/run/pikemon.status")

hmac [optional] shared-secret;

Protocol Verification by HMAC.

The purpose of the OPTIONAL flag is just to eliminate potential problems when changing the shared secret. The first step is to set OPTIONAL on both systems, so that they will temporarily omit the HMAC checking. Then, the shared secret can be changed without the risc of ignoring PIKE protocol packets on either system. When the new configuration is propagated onto both cluster members, the OPTIONAL flag should be cleared.

optional (type: key, optional)

Flag to eliminate HMAC checking.

shared-secret (type: str)

Shared secret for HMAC SHA256.

devd-socket [path];

Socket of devd(8).

path (type: str, optional, default: "/var/run/devd.pipe")

garp-keepalive [period];

Periodic sending of GARP by master.

period (type: uint32, optional, default: 60)

Setting to zero disables the feature.

virtual-cluster name {


  id ... ;
* interface ... ;
  hello-period ... ;
  hello-timeout ... ;
* ping-group name { ... }
* iface-monitor ... ;
  down-timeout ... ;
  up-timeout ... ;
  preemptive ... ;
  primary ... ;
* control ... ;
}

            

Single set of virtual addresses with redundancy monitoring.

Items & subsections:

id [id];

Virtual cluster ID.

id (type: uint8, optional, default: 0)

interface virt;

Interface belonging to virtual cluster.

virt (type: name of interface, see interface(5))

Virtual interface name.

hello-period [sec];

Period of PIKE HELLO subprotocol.

sec (type: uint8, optional, default: 1)

hello-timeout [sec];

Timeout of PIKE HELLO subprotocol.

When a node does not get a PIKE HELLO packet within this period, it assumes the partner to be dead.

When a node does not get a PIKE HELLO packet with UP state from the partner within this period, it assumes the partner to be down.

This timeout should be longer than the longest PING timeout.

sec (type: uint8, optional, default: 10)

ping-group name {


  timeout ... ;
* host ... ;
}

                

Group of hosts being pinged.

Every defined group within a VIRTUAL-CLUSTER section must be alive to bring monitored interfaces "up".

The ping-group section is derived from ping-group section prototype. For detail description of it, see ping(5).

iface-monitor name;

Interface being monitored.

name (type: name of interface, see interface(5))

down-timeout [sec];

Cluster down timeout.

At least one tested IP group must be inaccessible for this time in order to switch the cluster interfaces "down".

sec (type: uint32, optional, default: 0)

Timeout in seconds, zero means immediate action.

up-timeout [sec];

Cluster up timeout.

All tested IP groups must be accessible for this time in order to switch the cluster interfaces "up".

sec (type: uint32, optional, default: 0)

Timeout in seconds, zero means immediate action.

preemptive [status];

Preemptive mode.

In this mode, the primary firewall takes the master role whenever is ready.

status (type: yes-no, optional, default: yes)

primary [status];

Primary router flag.

In preemptive mode, the node marked as primary acts as the primary, dedicated node.

status (type: yes-no, optional, default: no)

control [tag] tag;

control cmd up down;

Cluster control.

This item allows to specify which components depend on master/backup state of a virtual cluster, or what commands should be run when the state change occurs.

<branching element> (type: pike-control-type, optional, default: tag)

tag (type: str)

Control tag - components with this tag run only in master state.

up (type: str)

Control command - executed when taking the master role.

down (type: str)

Control command - executed when taking the backup role.

[End of section pikemon.virtual-cluster description.]

[End of section pikemon description.]

SEE ALSO

configuration(7), application(5), common(5), interface(5), listen-on(5), log(5), ping(5), udpserver(5), devd(8)