Provided by: resource-agents-extra_4.15.1-2ubuntu3_amd64 bug

NAME

       ocf_heartbeat_portblock - Block and unblocks access to TCP and UDP ports

SYNOPSIS

       portblock [start | stop | status | monitor | meta-data | validate-all]

DESCRIPTION

       Resource script for portblock. It is used to temporarily block ports using iptables. In
       addition, it may allow for faster TCP reconnects for clients on failover. Use that if
       there are long lived TCP connections to an HA service. This feature is enabled by setting
       the tickle_dir parameter and only in concert with action set to unblock. Note that the
       tickle ACK function is new as of version 3.0.2 and hasn't yet seen widespread use.

SUPPORTED PARAMETERS

       protocol
           The protocol used to be blocked/unblocked.

           (required, string, no default)

       portno
           The port number used to be blocked/unblocked.

           (required, string, no default)

       action
           The action (block/unblock) to be done on the protocol::portno.

           (required, string, no default)

       reset_local_on_unblock_stop
           If for some reason the long lived server side TCP sessions won't be cleaned up by a
           reconfiguration/flush/stop of whatever services this portblock protects, they would
           linger in the connection table, even after the IP is gone and services have been
           switched over to another node.

           An example would be the default NFS kernel server.

           These "known" connections may seriously confuse and delay a later switchback.

           Enabling this option will cause this agent to try to get rid of these connections by
           injecting a temporary iptables rule to TCP-reset outgoing packets from the blocked
           ports, and additionally tickle them locally, just before it starts to DROP incoming
           packets on "unblock stop".

           (optional, boolean, default false)

       ip
           The IP address used to be blocked/unblocked.

           (optional, string, default "0.0.0.0/0")

       tickle_dir
           The shared or local directory (_must_ be absolute path) which stores the established
           TCP connections.

           (optional, string, no default)

       sync_script
           If the tickle_dir is a local directory, then the TCP connection state file has to be
           replicated to other nodes in the cluster. It can be csync2 (default), some wrapper of
           rsync, or whatever. It takes the file name as a single argument. For csync2, set it to
           "csync2 -xv".

           (optional, string, no default)

       direction
           Whether to block incoming or outgoing traffic. Can be either "in", "out", or "both".
           If "in" is used, the incoming ports are blocked on the INPUT chain. If "out" is used,
           the outgoing ports are blocked on the OUTPUT chain. If "both" is used, both the
           incoming and outgoing ports are blocked.

           (optional, string, default "in")

SUPPORTED ACTIONS

       This resource agent supports the following actions (operations):

       start
           Starts the resource. Suggested minimum timeout: 20s.

       stop
           Stops the resource. Suggested minimum timeout: 20s.

       status
           Performs a status check. Suggested minimum timeout: 10s. Suggested interval: 10s.

       monitor
           Performs a detailed status check. Suggested minimum timeout: 10s. Suggested interval:
           10s.

       meta-data
           Retrieves resource agent metadata (internal use only). Suggested minimum timeout: 5s.

       validate-all
           Performs a validation of the resource configuration. Suggested minimum timeout: 5s.

EXAMPLE CRM SHELL

       The following is an example configuration for a portblock resource using the crm(8) shell:

           primitive p_portblock ocf:heartbeat:portblock \
             params \
               protocol=string \
               portno=string \
               action=string \
             op monitor depth="0" timeout="10s" interval="10s"

EXAMPLE PCS

       The following is an example configuration for a portblock resource using pcs(8)

           pcs resource create p_portblock ocf:heartbeat:portblock \
             protocol=string \
             portno=string \
             action=string \
             op monitor OCF_CHECK_LEVEL="0" timeout="10s" interval="10s"

SEE ALSO

       http://clusterlabs.org/

AUTHOR

       ClusterLabs contributors (see the resource agent source for information about individual
       authors)