Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
121122123124125126127128129130
15.1.3.3.7 Consolidated Log (clog)
If you are using the consolidated log package, clog, add the following rules for the configured
clog TCP port number:
pass in quick proto tcp from smh_mgmt to cluster_nodes port = clog_tcp keep state
pass out quick proto tcp from cluster_nodes to smh_mgmt keep state
In the previous set of rules, cluster_nodes are all nodes in the cluster, smh_mgmt is the address
of the SMH Management Station, and clog_tcp is the TCP port configured for the clog package.
15.1.4 DCA Remote Failover
Normally, IPFilter keep state rules are configured with the flags S parameter. This parameter
instructs IPFilter to create a TCP state entry only when a SYN packet is parsed.
To enable transparent failover between IPFilter DCA nodes, do not use flags S with keep
limit rules. If incoming TCP/IP traffic is switched from the active to the standby node, DCA
can rebuild the previous IPFilter state table and IPFilter DCA limit tables from the data stream.
Without flags S in the keep limit rule, IPFilter creates a new state entry from any TCP/IP
packet, not just a SYN packet. A limit table entry is created. Any new connections that exceed
the connection limit are rejected.
After the state table entry is created for a particular IP address source/destination and TCP port
source/destination 4-tuple, further packets of this connection are processed in the state table
entry. These packets are not processed by the rules’ table.
For example, when Serviceguard detects that the primary IPFilter DCA gateway has failed, the
IP addresses of the primary systems are switched to the standby DCA system. The standby
system contains the same set of configured rules as the primary system. Therefore, the standby
system can completely rebuild the TCP state tables and limit entries that were previously on the
primary system.
If a client has active connection to an IPFilter system and is attempting to make new connections
when Serviceguard fails over, the new connections replace the existing connections in the limit
table entry for the client only if the established connections are not generating traffic.
126 HP-UX IPFilter and Serviceguard