'\" t
.\"     Title: ocf_heartbeat_portblock
.\"    Author: ClusterLabs contributors (see the resource agent source for information about individual authors)
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\"      Date: 12/17/2020
.\"    Manual: OCF resource agents
.\"    Source: resource-agents UNKNOWN
.\"  Language: English
.\"
.TH "OCF_HEARTBEAT_PORTBL" "7" "12/17/2020" "resource-agents UNKNOWN" "OCF resource agents"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
ocf_heartbeat_portblock \- Block and unblocks access to TCP and UDP ports
.SH "SYNOPSIS"
.HP \w'\fBportblock\fR\ 'u
\fBportblock\fR [start | stop | status | monitor | meta\-data | validate\-all]
.SH "DESCRIPTION"
.PP
Resource script for portblock\&. It is used to temporarily block ports using iptables\&. In addition, it may allow for faster TCP reconnects for clients on failover\&. Use that if there are long lived TCP connections to an HA service\&. This feature is enabled by setting the tickle_dir parameter and only in concert with action set to unblock\&. Note that the tickle ACK function is new as of version 3\&.0\&.2 and hasn\*(Aqt yet seen widespread use\&.
.SH "SUPPORTED PARAMETERS"
.PP
\fBprotocol\fR
.RS 4
The protocol used to be blocked/unblocked\&.
.sp
(required, string, no default)
.RE
.PP
\fBportno\fR
.RS 4
The port number used to be blocked/unblocked\&.
.sp
(required, string, no default)
.RE
.PP
\fBaction\fR
.RS 4
The action (block/unblock) to be done on the protocol::portno\&.
.sp
(required, string, no default)
.RE
.PP
\fBreset_local_on_unblock_stop\fR
.RS 4
If for some reason the long lived server side TCP sessions won\*(Aqt be cleaned up by a reconfiguration/flush/stop of whatever services this portblock protects, they would linger in the connection table, even after the IP is gone and services have been switched over to another node\&.
.sp
An example would be the default NFS kernel server\&.
.sp
These "known" connections may seriously confuse and delay a later switchback\&.
.sp
Enabling this option will cause this agent to try to get rid of these connections by injecting a temporary iptables rule to TCP\-reset outgoing packets from the blocked ports, and additionally tickle them locally, just before it starts to DROP incoming packets on "unblock stop"\&.
.sp
(optional, boolean, default
false)
.RE
.PP
\fBip\fR
.RS 4
The IP address used to be blocked/unblocked\&.
.sp
(optional, string, default "0\&.0\&.0\&.0/0")
.RE
.PP
\fBtickle_dir\fR
.RS 4
The shared or local directory (_must_ be absolute path) which stores the established TCP connections\&.
.sp
(optional, string, no default)
.RE
.PP
\fBsync_script\fR
.RS 4
If the tickle_dir is a local directory, then the TCP connection state file has to be replicated to other nodes in the cluster\&. It can be csync2 (default), some wrapper of rsync, or whatever\&. It takes the file name as a single argument\&. For csync2, set it to "csync2 \-xv"\&.
.sp
(optional, string, no default)
.RE
.SH "SUPPORTED ACTIONS"
.PP
This resource agent supports the following actions (operations):
.PP
\fBstart\fR
.RS 4
Starts the resource\&. Suggested minimum timeout: 20s\&.
.RE
.PP
\fBstop\fR
.RS 4
Stops the resource\&. Suggested minimum timeout: 20s\&.
.RE
.PP
\fBstatus\fR
.RS 4
Performs a status check\&. Suggested minimum timeout: 10s\&. Suggested interval: 10s\&.
.RE
.PP
\fBmonitor\fR
.RS 4
Performs a detailed status check\&. Suggested minimum timeout: 10s\&. Suggested interval: 10s\&.
.RE
.PP
\fBmeta\-data\fR
.RS 4
Retrieves resource agent metadata (internal use only)\&. Suggested minimum timeout: 5s\&.
.RE
.PP
\fBvalidate\-all\fR
.RS 4
Performs a validation of the resource configuration\&. Suggested minimum timeout: 5s\&.
.RE
.SH "EXAMPLE CRM SHELL"
.PP
The following is an example configuration for a portblock resource using the
\fBcrm\fR(8)
shell:
.sp
.if n \{\
.RS 4
.\}
.nf
primitive p_portblock ocf:heartbeat:portblock \e
  params \e
    protocol=\fIstring\fR \e
    portno=\fIstring\fR \e
    action=\fIstring\fR \e
  op monitor depth="0" timeout="10s" interval="10s" 
.fi
.if n \{\
.RE
.\}
.SH "EXAMPLE PCS"
.PP
The following is an example configuration for a portblock resource using
\fBpcs\fR(8)
.sp
.if n \{\
.RS 4
.\}
.nf
pcs resource create p_portblock ocf:heartbeat:portblock \e
  protocol=\fIstring\fR \e
  portno=\fIstring\fR \e
  action=\fIstring\fR \e
  op monitor OCF_CHECK_LEVEL="0" timeout="10s" interval="10s" 
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\m[blue]\fB\%http://clusterlabs.org/\fR\m[]
.SH "AUTHOR"
.PP
\fBClusterLabs contributors (see the resource agent source for information about individual authors)\fR