Keepalived/Vrrp with Shorewall

Graeme Fowler graeme at graemef.net
Wed Aug 23 09:37:17 BST 2006 

Hi

Quiet as it may be over there, this question really belongs on the 
keepalived mailing list as this is not LVS related. I'll try to answer 
it here in any case:

On 23/08/2006 05:37, Noc Phibee wrote:
> I request a small help on my Keepalived config ;=)
> 
> 1- For Vrrp protocol, anyone know what entry i pu into shorewall 3.1.2 ?

You must allow packets from/to network 224.0.0.0/8

If you want to control this a bit more accurately, define mcast_src_ip 
in your keepalived.conf for each defined vrrp_instance, and set your 
filters accordingly.

> 2- I want that when my group change of state, he restart Shorewall.
>    I have used the notify_*:
>       When my MASTER are dead, the BACKUP change state and it's good.
>    but when the MASTER are available and get the virtual IP, he start 8/10x
>    the same script (restart of shorewall).
> 
>    Anyone have a idea why he don't change immediatly the states ?

Firstly it looks like the Master is receiving the announcements from the 
Backup. This is good. The Backup is also receiving packets from the 
Master, which is also good - this is why the Backup flip-flops from 
BACKUP to MASTER to BACKUP state continuously.

However - something else is happening here, and I expect it's your 
Shorewall config.

Ignoring the Master machine for a moment, let me put forward a possible 
reason:

The Backup machine starts up, brings up keepalived, and goes into BACKUP 
state. Shorewall is dropping packets at this point, so the Backup 
machine goes to MASTER state, does things to Shorewall with the notify 
script, and starts to accept packets. It then receives an advertisement 
from the Master director, so it switches to BACKUP state, changes the 
Shorewall config back, misses advertisement, switches to MASTER, changes 
the firewall, misses advertisement, etc etc.

Assuming this is correct, there are several things you need to do:

1. Make sure the Shorewall config isn't dropping the packets you want 
(see the suggestions above).

2. Put your notify* script actions into your vrrp_sync_group block 
instead of the vrrp_instance. That way it'll only fire once, when the 
group changes state, rather than one being fired off for every instance 
state change *and* the group.

Graeme

More information about the lvs-users mailing list