1. Manuals
  2. Tumbleweed
  3. resource-agents
  4. ocf_heartbeat_portblock(7)

Scroll to navigation

OCF_HEARTBEAT_PORTBL(7) OCF resource agents OCF_HEARTBEAT_PORTBL(7)

NAME

ocf_heartbeat_portblock - Blocks and unblocks access to TCP and UDP ports

SYNOPSIS

portblock [start | stop | status | monitor | promote | demote | meta-data | validate-all]

DESCRIPTION

Resource script for portblock. It is used to block ports using nftables or iptables. In addition, it may allow for faster TCP reconnects for clients on failover. Use that if there are long lived TCP connections to an HA service. This feature is enabled by setting the tickle_dir parameter and only in concert with action set to unblock. Note that the tickle ACK function is new as of version 3.0.2 and hasn't yet seen widespread use.

In Promotable mode, the promote action unblocks the port(s) on the Promoted node and blocks the port(s) on the Unpromoted node(s) when action=unblock, and vice versa when action=block.

SUPPORTED PARAMETERS

firewall

Firewall to use, e.g. auto (default), nft, or iptables.

(optional, string, default "auto")

protocol

The protocol used to be blocked/unblocked.

(required, string, no default)

portno

The port number used to be blocked/unblocked.

(required, string, no default)

action

The action (block/unblock) to be done on the protocol::portno.

In Promotable mode it is the action for the promote action, and the opposite action will be used for the start and demote actions.

(required, string, no default)

method

Block method: drop: Use DROP rule. reject: Use REJECT rule w/conntrack to clear connections when blocking.

(optional, string, default "drop")

status_check

Status check: rule: Check rule. pseudo: Check pseudo status when rule is absent.

(optional, string, default "rule")

reset_local_on_unblock_stop

If for some reason the long lived server side TCP sessions won't be cleaned up by a reconfiguration/flush/stop of whatever services this portblock protects, they would linger in the connection table, even after the IP is gone and services have been switched over to another node.

An example would be the default NFS kernel server.

These "known" connections may seriously confuse and delay a later switchback.

Enabling this option will cause this agent to try to get rid of these connections by injecting a temporary iptables rule to TCP-reset outgoing packets from the blocked ports, and additionally tickle them locally, just before it starts to DROP incoming packets on "unblock stop".

(optional, boolean, default false)

ip

The IP address used to be blocked/unblocked.

(optional, string, default "0.0.0.0/0")

tickle_dir

The shared or local directory (_must_ be absolute path) which stores the established TCP connections.

(optional, string, no default)

sync_script

If the tickle_dir is a local directory, then the TCP connection state file has to be replicated to other nodes in the cluster. It can be csync2 (default), some wrapper of rsync, or whatever. It takes the file name as a single argument. For csync2, set it to "csync2 -xv".

(optional, string, no default)

direction

Whether to block incoming or outgoing traffic. Can be either "in", "out", or "both". If "in" is used, the incoming ports are blocked on the INPUT chain. If "out" is used, the outgoing ports are blocked on the OUTPUT chain. If "both" is used, both the incoming and outgoing ports are blocked.

(optional, string, default "in")

SUPPORTED ACTIONS

This resource agent supports the following actions (operations):

start

Starts the resource. Suggested minimum timeout: 20s.

stop

Stops the resource. Suggested minimum timeout: 20s.

promote

Promotes the resource to the Master role. Suggested minimum timeout: 10s.

demote

Demotes the resource to the Slave role. Suggested minimum timeout: 10s.

status

Performs a status check. Suggested minimum timeout: 10s. Suggested interval: 10s.

monitor

Performs a detailed status check. Suggested minimum timeout: 10s. Suggested interval: 10s.

monitor (Promoted role)

Performs a detailed status check. Suggested minimum timeout: 10s. Suggested interval: 9s.

meta-data

Retrieves resource agent metadata (internal use only). Suggested minimum timeout: 5s.

validate-all

Performs a validation of the resource configuration. Suggested minimum timeout: 5s.

EXAMPLE CRM SHELL

The following is an example configuration for a portblock resource using the crm(8) shell:

primitive p_portblock ocf:heartbeat:portblock \


  params \


    protocol=string \


    portno=string \


    action=string \


  op monitor depth="0" timeout="10s" interval="10s" \


  op monitor depth="0" timeout="10s" interval="9s" role="Promoted" 

ms ms_portblock p_portblock \


  meta notify="true" interleave="true"

EXAMPLE PCS

The following is an example configuration for a portblock resource using pcs(8)

pcs resource create p_portblock ocf:heartbeat:portblock \


  protocol=string \


  portno=string \


  action=string \


  op monitor OCF_CHECK_LEVEL="0" timeout="10s" interval="10s" \


  op monitor OCF_CHECK_LEVEL="0" timeout="10s" interval="9s" role="Promoted" promotable

SEE ALSO

http://clusterlabs.org/

AUTHOR

ClusterLabs contributors (see the resource agent source for information about individual authors)

11/25/2025 resource-agents UNKNOWN