atr — format of atr component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the atr component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in atr configuration directives:
yes-no (see common(5))direction (see common(5))ip-version (see common(5))osi4-proto (see common(5))time-cond (see common(5))zip-mode (see common(5))obligation (see common(5))dbglev (see log(5))logfail-mode (see log(5))week-day (see time(5))month (see time(5))auth-method (see auth(5))source-address-mode (see source-address(5))transparency (see acl(5))user-auth-spec (see acl(5))doctype-ident-method (see acl(5))listen-on-sock (see listen-on(5))atr-strategy (name-usage obligatory)Strategy for address selection.
allAll available addresses added to response.
firstFirst available address sent in response.
highestAvailable address with highest ratio is sent in response.
cyclicAvailable addresses are alternated in a circle.
randomAvailable addresses are alternated randomly by ratio.
atr-fallback (name-usage obligatory)Fallback mode for no available address.
no-dataResponse with NoError code and no ANSWER is returned.
firstChoose first address of requested type despite state.
Configuration of atr library component consists of following prototypes:
* atrmon name { ... }
atrmon name {
phase ... ;
* tag ... ;
log-debug { ... }
log-stats { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
nodaemon ... ;
singleproc ... ;
app-user ... ;
run-block-sigalrm ... ;
listen-on { ... }
client-conn { ... }
* session-acl name { ... }
* request-acl name { ... }
}
Adaptive Transport Routing Monitor configuration.
atrmon section is derived from
proxy section prototype.
For detail description of it, see application(5).
atrmon section:Section stats-daily is not valid.
Section stats-weekly is not valid.
Section stats-monthly is not valid.
Item idle-timeout is not valid.
Section tcpserver is not valid.
Section udpserver is not valid.
Item source-address is not valid.
Section doctype-identification is not valid.
At least one SESSION-ACL must be specified (proxy must be named in some SYSTEM.ACL.SERVICES).
At least one REQUEST-ACL must be specified.
monitoring (see monitoring(5))Item user is not valid.
Item aproxy-user is not valid.
Item data used as query.
listen-on.non-transparent (see listen-on(5))Element port is optional, default: 53.
listen-on.transparent (see listen-on(5))Element port is optional, default: 53.
client-conn {
conn-timeout ... ;
recv-timeout ... ;
recv-bufsize ... ;
send-timeout ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Client connection options.
client-conn section is derived from
sock-opt section prototype.
For detail description of it, see netio(5).
recv-bufsize (see netio(5))Element bytes is optional, default: 512.
Input buffer size must be at least 512B.
send-timeout (see netio(5))Element seconds is optional, default: 60.
send-bufsize (see netio(5))Output buffer size must be at least 512B.
session-acl name {
* from ... ;
* to ... ;
* time ... ;
time-period-set { ... }
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
idle-timeout-peer ... ;
source-address ... ;
neg-resp-ttl ... ;
}
The first level ACL decides only between acceptation and denial of the incoming datagram/connection.
session-acl section is derived from
acl-1 section prototype.
For detail description of it, see acl(5).
session-acl section:Item user is not valid.
Item auth is not valid.
Item idle-timeout is not valid.
Item plug-to is not valid.
neg-resp-ttl [seconds];TTL for negative responses.
If ATR monitor sends NXDomain response code for name from known domain, it can send a SOA record in AUTHORITY section. This record causes caching of this negative answer in clients (nameservers) for the time used as the TTL of the SOA RR. This value can be defined by this item.
Setting the TTL to zero means switching this feature off. Use this with care because it can cause ineffectivity of DNS service.
seconds (type: uint32, optional, default: 60)[End of section atrmon.session-acl description.]
request-acl name {
* from ... ;
* time ... ;
time-period-set { ... }
* session-acl ... ;
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
client-altq ... ;
name ... ;
* nameserver ... ;
* address name { ... }
strategy ... ;
fallback ... ;
neg-resp-ttl ... ;
}
The second level ACL decides how to handle particular DNS query/notify request.
request-acl section is derived from
acl-2 section prototype.
For detail description of it, see acl(5).
request-acl section:Item server is not valid.
Item user is not valid.
Item parent-acl used as session-acl.
NAME must be specified.
At least one ADDRESS or NAMESERVER must be specified.
ADDRESS and NAMESERVER are mutually exclusive.
client-altq altq [paltq paltq];ALTQ queues for data sent to client.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
name name;Entry condition - Query domain name.
name (type: str)nameserver ttl host;NS RR data.
ttl (type: uint32)Time-to-live value of DNS RR.
host (type: str)address name {
data ... ;
ratio ... ;
* ping-group name { ... }
down-timeout ... ;
up-timeout ... ;
}
Single address for resolution and availability check.
Host DATA must be specified.
data ttl addr;Data for particular answer.
ttl (type: uint32)Time-to-live value of DNS RR.
addr (type: host)IPv4/6 address of A/AAAA DNS RR.
ratio [prty];Priority (relative frequency) of this address in responses.
prty (type: uint8, optional, default: 100)ping-group name {
timeout ... ;
* host ... ;
}
Group of hosts being pinged.
Every defined group within an ADDRESS section must be alive to add this address to DNS responses.
ping-group section is derived from
ping-group section prototype.
For detail description of it, see ping(5).
down-timeout [sec];Cluster down timeout.
At least one tested IP group must be inaccessible for this time in order to switch the cluster interfaces "down".
sec (type: uint32, optional, default: 0)Timeout in seconds, zero means immediate action.
up-timeout [sec];Cluster up timeout.
All tested IP groups must be accessible for this time in order to switch the cluster interfaces "up".
sec (type: uint32, optional, default: 0)Timeout in seconds, zero means immediate action.
[End of section atrmon.request-acl.address description.]
strategy [mode];Address selection strategy.
mode (type: atr-strategy, optional, default: all)fallback [mode];Response policy when no address alive.
mode (type: atr-fallback, optional, default: no-data)neg-resp-ttl [seconds];TTL for negative responses.
If ATR monitor sends negative QUERY responses (NoError response code with no answer records or NXDomain response code), it can send a SOA record in AUTHORITY section. This record causes caching of this negative answer in clients (nameservers) for the time used as the TTL of the SOA RR. This value can be defined by this item.
Setting the TTL to zero means switching this feature off. Use this with care because it can cause ineffectivity of DNS service.
seconds (type: uint32, optional, default: 60)[End of section atrmon.request-acl description.]
[End of section atrmon description.]