ipa.conf ipa(8). - , -f ipa(8), ipa(8) SIGHUP.
ipa.conf . , (), .
ipa(8).
. IPA - , ipa_ipfw, ipa_ip6fw, ipa_atest ipa_db_sdb, ,
, IPA.
.
. , . ( ), , . . , .
.
shell- C- . C- shell- , C- .
:
# Shell- .
/* C- . */
/*
* C- .
*/
.
, . :
[[=] ] {
/* . */
}
. `;' :
[[=] ];
`=' . ( `='), . , , .
:
""
``\t'', ``\n'', ``\\'' ``\"'', , , . ( ), `\' (
). `\', .
.
:
${threshold} - threshold;
${autorule} - autorule.
( ), ${$}, . .
${$} (. ).
, . . , ${rule} (. ).
:
${a} = "${b}"; # ${a}.
${b} = "1"; # ${b}.
param = ${a}; # 1.
${b} = "2"; # ${b}.
param = ${a}; # 2.
param = "${$}{b}"; # ${b} (
# ).
section {
${a} = "1"; # ${a},
# ${a}.
${c} = "4"; # ${c}.
param = ${a}; # 1.
subsection {
${a} = "2";# ${a}.
${b} = "3";# ${b}.
}
param = ${a}; # 2.
param = ${b}; # 3.
}
# param = ${c}; <-- : ${c} .
.
. :
include "//";
include_files "//";
include . include_files , .
, . .. , , .
POSIX ( ) include_files, posix_re_pattern ``yes'' ,
POSIX , ``no'':
posix_re_pattern = <boolean>;
- .
shell. , POSIX.
.
, . ipa(8) ipa_ac_mod API, ipa_mod(3).
ac_mod ipa(8), IPA :
ac_mod "_";
- . .
:
ac_mod "ipa_ipfw.so";
ac_mod "ipa_ip6fw.so";
.
.
, , . ipa(8) ipa_db_mod API, ipa_mod(3).
db_mod ipa(8), IPA :
db_mod "_";
- . .
:
db_mod "ipa_db_sdb.so";
.
.
IPA , IPA ipa.conf(5).
, , . :
: [[=] ];
ipa(8) ``'', .
:
: [[=] ] {
/* . */
}
.
ipa(8) . : . rule. , , autorule.
(, ) . . global. rulepat ( ). autorule.
- (, ) - ( ), rulepat, global, , . ipa(8)
-tt, .
global, rulepat, rule autorule: ac_list, db_list, append_time,
update_time, worktime, ctl_rule_acl, debug_exec, debug_limit,
debug_limit_init, debug_threshold, debug_threshold_init.
.
ac_mod, , . ac_list :
ac_list = <>;
<> , . , , ac_mod.
- ac_list, , , . .
ipa(8) null: 0. ac_list , null.
:
ac_mod "ipa_ipfw.so";
ac_mod "ipa_ip6fw.so";
global {
ac_list = ipfw ip6fw;
}
.
.
db_mod, , . db_list :
db_list = <>;
<> , . , , db_mod.
- (, ) db_list, , , (, ). (, ) .
ipa(8) null: , , . db_list , null.
:
db_mod "ipa_db_sdb.so";
global {
00:00-24:00 `*' .
worktime , ``'', ``''.
, , .
, worktime , , ipa(8) .
, (. ).
:
, :
worktime = M * T * W *;
8:00 14:30 18:20 21:00, 10:35 ( ):
worktime = H 08:00-14:30 18:20-21:00
S 00:00-10:35;
.
update_time , ipa(8) :
update_time = <>;
, 1 .
append_time , ipa(8) :
append_time = <>;
. .
append_time update_time.
ipa(8) , , , update_time 5 , ipa(8) 00:00, 00:05, 00:10 ..
, date(1) ntpdate(8), UTC , . ``some time related
problems occurred'' ipa(8). update_time append_time . , ntp-
date(8) update_time ntpdate(8), ipa(8).
:
sensitive_time = <>;
30 . - .
wakeup_time , ipa(8). ipa(8) , ..:
rule, limit threshold info, :
info = "<>";
`\n' `\t'. , . , ipastat(8).
, , .
:
rule 10.1.2.3-in {
info = " ISP";
/* ... */
}
, .
.
``'' , ( ).
rule :
rule <-> {
/* . */
}
, .
rule - . - , . , , ( ).
worktime, . , .
:
ac_mod "ipa_ipfw.so";
ac_mod "ipa_ip6fw.so";
db_mod "ipa_db_sdb.so";
rule local.traf {
ac_list = ipfw ip6fw;
db_list = sdb;
info = " LAN";
sdb:db_group = staff;
ipfw:rules = 100 200 300;
ip6fw:rules = 1.10;
}
. .
.
%% `%'.
, rule, ${rule}.
, , only_abs_paths ``no'', ``yes'':
only_abs_paths = <boolean>;
shell, :
<shell_path> <shell_arg1> /path/command
, (stdint), (stdout) (stderr) ipa(8).
<Shell_path> IPA , /bin/sh (. ``ipa -v''), shell_path:
shell_path = "/path/shell";
<Shell_arg1> ``-c'', shell_arg1:
shell_arg1 = "<arg1>";
ipa(8) , , ( fork(2)), ipa(8) . - , , ipa(8) .
only_abs_paths, shell_path shell_arg1 - .
:
startup {
exec "/bin/echo \"ipa started\" | mail me";
exec nobody "/usr/local/bin/something";
}
only_abs_path = no;
shutdown {
exec "echo \"ipa stopped\" | mail me";
}
rulepat "^client" {
startup {
exec "command %rule%";
}
}
rule 1 {
shutdown {
exec "echo rule off >> /tmp/${rule}.log";
}
}
2 rule;
2 rule ;
2 limit .
ipa(8) ( SIGHUP), startup , shutdown. startup,
ipa(8) -x.
:
startup {
exec "command1";
}
rule 1 {
startup {
exec "command2";
}
limit 1 {
/* ... */
startup {
exec "command3";
}
}
}
rule 2 {
startup {
exec "command4";
}
}
: command1, command2, command3 command4.
.
: . ipa(8) . ipa(8) , , .
startup shutdown , .
sync_exec :
sync_exec = <boolean>;
, exec.
:
startup {
sync_exec = no;
, . , ipa(8) , ( -). , ipa(8) .
: .
. IPA . - , , limit. limit:
limit <-> {
limit = <->;
/* . */
}
, .
64- , ipa(8) limit. limit, ipa(8) . .
, .
ipa(8) , <->: , 64- (. ). <-> 64- .
: , ( ), ( ) . limit , ( ).
, , ( update_time).
:
rule my-account {
/* . */
limit 1 {
limit = 1M 500K;
info = " ";
}
limit 2 {
limit = 2h 30m;
info = " ";
}
limit 3 {
limit = 1234567890;
info = " ";
}
}
.
limit , `T' , `G' , `M' , `K' , `B' ( ). , .
.
worktime, , , worktime , , , ipa(8) work-
time .
worktime. , ipa(8) worktime .
}
, 08:00 21:00 . 08:00-21:00 00:00-24:00, .
.
( ) `` ''. ipa(8) . , .
restart :
limit <-> {
/* . */
restart {
restart = <->;
/* . */
}
}
restart restart. . .
, , .
ipa(8) , , , restart, .
restart, ( ) , ipactl(8).
1:
rule my.traf {
ac_list = ipfw;
ipfw:rules = 100 200;
limit 1 {
limit = 1G;
restart {
restart = 20h 30m;
}
}
}
restart . .
`s' , `m' , `h' , `D' `W' .
2:
rule my.traf {
ac_list = ipfw;
ipfw:rules = 100 200;
limit 1 {
limit = 1G;
restart {
restart = +W;
restart = +M 2D;
}
}
}
: ``+'' ( ), ``2D'' ( ) .
, ``2D +M'' : ``2D'' ``+M'' ( ).
, .
ipa(8) reach:
limit <-> {
/* . */
reach {
/* . */
}
}
reach , .
ipa(8) , , , reach, .
:
rule my.traf {
ac_list = ipfw;
ipfw:rules = 100;
limit 1 {
limit = 1G;
restart {
restart = +W;
}
reach {
exec "/somewhere/stop_traffic";
}
}
}
1, , , .
.
. expire:
limit <-> {
/* . */
expire {
expire = <->;
/* . */
}
rule my.traf {
ac_list = ipfw;
ipfw:rules = 100;
limit 1 {
limit = 1G;
restart {
restart = +W;
}
reach {
exec "/somewhere/stop_traffic";
}
expire {
expire = +W;
exec "/somewhere/start_traffic";
}
}
}
1 . , . , .
startup shutdown .
. , startup shutdown rule :
if_any_reached - ;
if_any_not_reached - ;
if_all_reached - ;
if_all_not_reached - .
, , .
startup shutdown, rulepat.
:
rule my.traf {
ac_list = ipfw;
ipfw:rules = 100;
startup {
exec "/somewhere/count_traffic";
if_any_reached {
/* ... */
exec "/bin/echo \"- \
${rule} \" | mail admin";
}
}
limit 1 {
limit = 1G;
restart {
restart = +M;
}
info = "1G ";
startup shutdown .
startup shutdown :
if_reached - ;
if_not_reached - .
, , .
ipa(8) , , / , .
.
db_list, . , ( ). db_list limit:
rule <-> {
/* . */
db_list <1>;
limit <-> {
/* . */
db_list <2>;
}
}
<1> <2> , <1> , <2> .
? - , () . . ipa_mod(3).
. ipa(8) ? , , , - , , ipa(8) .
, .
, , , .
limit .
limit , ipa(8) , limit . load_limit:
limit <-> {
/* . */
load_limit = <boolean>;
}
limit , load_limit ``yes''. ( ), limit ,
limit .
load_limit ``no''.
``yes'' ipactl(8) limit .
global, - limit , global.
: .
:
+--------------+--> Restart (Tstart)
| |
Trestart_exec Treach_exec Texpire_exec
--|------>------||------>------||------>------||------------->
Tstart Trestart Treach Texpire time
.
. , limit. limit, , limit. , limit:
limit <-> {
limit = <->;
/* . */
sublimit <-> {
/* . */
}
}
reach, startup shutdown. , . ipa(8) , .
( <->) .
, , , , .
:
rule my.traf {
/* ... */
limit l1 {
limit = 1G;
load_limit = yes;
restart {
restart = +M;
}
info = "1G ";
/* ... */
sublimit 50% {
reach {
exec "/bin/echo \" \
${limit} ${rule}\" | mail me";
}
}
}
}
email, t1 . limit ipactl(8), , .
equal_threshold above_threshold. threshold_time_slice .
ipa(8) , <-> : , 64- . <-> 64- .
<-> threshold_deviation. threshold_deviation , threshold. ,
, threshold.
threshold_time_width . threshold_time_slice . thresh-
old_time_width threshold_time_slice . , threshold_time_width
. , `` '', threshold_time_slice . global , thresh-
old.
, .
, , , , , threshold.
below_threshold (X), equal_threshold (Y) above_threshold (Z)
threshold_balance:
threshold_balance = X:Y:Z;
global - threshold , global.
x, y z, below_threshold, equal_threshold above_threshold.
X, Y Z . threshold x , x , y Y, z Y, below_threshold
. y z.
X, Y Z, `-'. UINT_MAX. -:-:-.
:
rule lan {
ac_list = ipfw;
ipfw:rules = 100 200 -300;
update_time = 1m;
limit l1 {
limit = 1G;
info = " 1G ";
reach {
exec "/bin/echo \"1G ${rule} \" |
mail me";
}
expire {
expire = 0s;
}
}
threshold t1 {
threshold = 500M;
threshold_balance = 1:-:1;
threshold_deviation = 50M;
threshold_time_width = 24h;
threshold_time_slice = 15m;
. email, 1 .
.
worktime. , .
, - worktime? , ``'' . 0 . ( ) .
ipa(8) ? , .
threshold_type, ( ):
0x1 , ipa(8) ( );
0x2 , .
threshold_type 0. : 0, 1, 2 3 (0x1|0x2). 0 3, , ,
( ).
global , - threshold , global.
:
rule client {
ac_list = ipfw;
ipfw:rules = 100 200 300;
update_time = 1m;
threshold t {
threshold = 100M;
threshold_deviation = 10%;
threshold_time_width = 5h;
threshold_time_slice = 15m;
threshold_type = 3;
worktime = M 08:00-21:00 T 08:00-21:00 W 08:00-21:00
H 08:00-21:00 F 08:00-21:00;
info = " 100M - 10% 5h ( 3)";
below_threshold {
exec "/somewhere/increase_bandwidth ${rule}";
}
above_threshold {
exec "/somewhere/decrease_bandwidth ${rule}";
}
}
}
, , Internet 08:00 21:00. 100 - 10% 5 (
increase_bandwidth decrease_bandwidth).
, 90 21:00. 08:00 0 , 21:00 08:00 5 .
3 ``'' 21:00 08:00 , 90 08:00 . ipa(8) 21:00
08:00 ``'' 21:00 08:00.
.
, : ipa(8) , , , threshold , ipa(8)
load_threshold threshold_type . , , worktime . , ,
.
: .
:
<-------------- time_width ------------->
(t1) |---c1--|---c2--|---c3--|---c4--|---c5--| -->
(t2) |---c2--|---c3--|---c4--|---c5--|---c6--| -->
<-slice->
-----|-------|-------|-------|-------|-------|-------|-------|-->
t1 t2
t1 t2. ci, ci t2 - t1. time_width .
.
. ipa(8) ( ac_gather_*) ( limit threshold) .
autorule:
autorule <-> {
/* . */
}
<-> , , <-> .
. ( ): ac_list ac_gather_*.
. ac_list . ( , .) ac_list , .
( ac_get_stat ipa_mod(3)), / ( ) . update_time ac_get_stat (
).
, .
worktime, . worktime_rule worktime. worktime,
global.
worktime, .
, - , rulepat, global .
startup shutdown, , . , ${rule}, , (. ).
autorule a {
ac_list = atest;
update_time = 1m;
limit 1 {
limit = 100M;
restart {
restart = +W;
}
reach {
exec "/somewhere/stop_traffic.sh %rule%";
exec "/bin/echo \"%rule%'s limit ${limit} reached\" |
mail admin";
}
expire {
expire = +M;
exec "/somewhere/start_traffic.sh %rule%";
}
}
}
update_time db_list append_time global. , ${rule} (
), %rule%. ${limit} , .
.
. , global , . .
- - , . rulepat:
rulepat "<regexp>" {
/* . */
}
POSIX ( ). ipa(8), , . , , ipa(8) . , , . ,
check_next_rulepat ``yes'':
check_next_rulepat = <boolean>;
rulepat ``no''.
( ac_gather_*) ( limit threshold), rule rulepat.
, , , .
rulepat.
:
ac_mod "ipa_ipfw.so";
db_mod "ipa_db_sdb.so";
global {
below_threshold {
exec "/somewhere/increase-bandwidth.sh %rule%";
}
above_threshold {
exec "/somewhere/decrease-bandwidth.sh %rule%";
}
}
}
rulepat "^client" {
worktime = M 08:00-20:00 T 08:00-20:00 W 08:00-20:00
H 08:00-20:00 F 08:00-20:00 A 08:00-17:00;
}
rulepat ``'' ( ${$} `$', `$' POSIX ). rulepat ``''
``client'' .
.
, .
ac_gather_add ac_gather_sub :
rule <-> {
/* . */
ac_gather_add = "<regexp>";
ac_gather_sub = "<regexp>";
}
<regexp> POSIX ( ), - , ac_gather_*. , . (. ).
rule, .. , .
ac_list rule: , , . ac_gather rule: ac_gather_* , .
, ac_gather_*, ac_list.
:
ac_mod "ipa_ipfw.so";
global {
ac_list = ipfw;
}
rule client1 {
ipfw:rules = 100 102 104;
info = " ";
}
rule client2 {
ipfw:rules = 200 202 204;
rule all_stat {
ac_gather_add = "(server|clients)${$}";
info = " LAN";
}
rule all_except_client2_stat {
ac_gather_add = "^all_stat${$}";
ac_gather_sub = "^client2${$}";
info = " LAN, client2";
}
: client1, client2, clients, server, all_stat
all_except_client2_stat. clients client1 client2. all_stat
clients server. all_except_client2_stat clients server client2.
client2 ac_gather_add , , : client2->clients->client2...
ipa(8) .
ipactl(8).
ipactl(8) ipa(8) Unix domain . ctl_enable ``yes'', ``no'':
ctl_enable = <boolean>;
``yes'', ipa(8) Unix domain . Unix domain , , ipa(8),
ctl_socket_perm.
Unix domain , (. ``ipactl -h''), Unix domain ctl_socket_path:
ctl_socket_path = "/path/to/socket";
ipa(8) 10 , ctl_timeout:
ctl_timeout = <>;
ctl_socket_perm:
ctl_socket_perm = <>;
<> : `u', `g' `o'. (, ) . ipa(8) . ,
``u''.
ipa(8), FreeBSD, ipactl(8) ( ``ipa -v''), ctl_acl_class,
ctl_dump_acl, ctl_freeze_acl, ctl_stat_acl ctl_rule_acl.
ctl_acl_class ACL ( ): ACL ACL. - :
ctl_acl_class <> [<ACL>];
ACL , , :
[!]<>|%<>
ctl_stat_acl <>;
ctl_rule_acl ACL restart, expire, set status ipactl(8):
ctl_rule_acl <>;
ACL , ACL, , .
.
1:
ctl_enable = yes;
ctl_socket_perm = ug;
ipa(8) ipactl(8). ( ). .
2:
ctl_enable = yes;
ctl_socket_path = "/var/tmp/ipactl.sock";
ctl_timeout = 10s;
Unix domain . ctl_socket_perm , , , ``u''.
3:
ctl_enable = yes;
ctl_socket_perm = ugo;
ctl_acl_class empty;
ctl_acl_class root root;
ctl_acl_class admins root !john %wheel;
ctl_dump_acl root;
global {
ctl_rule_acl admins;
/* ... */
}
rulepat "^vip" {
ctl_rule_acl root;
/* ... */
}
rulepat "^staff" {
ctl_rule_acl admins;
/* ... */
}
rule lan-all {
ctl_rule_acl empty;
freeze_time = <>;
sleep_after_dump = <>;
, , - .
sleep_after_dump freeze_time .
- .
:
freeze_time = 30s
sleep_after_dump = 5s;
ipa(8), 5 dump, 30 freeze. : dump, , ,
freeze, ipa(8) . , 30 , .
.
ipa(8) . , , , , r1 r2, .
ac_gather_* worktime, .
ac_gather_* , , ac_gather_*, - ac_gather_*, .
ac_gather_* worktime, .
, ac_gather_*, .
, keep_rules_order ``yes'', ``no'':
keep_rules_order = <boolean>;
, ac_gather_* keep_rules_order ``yes'': , , , .
, .
, .
- .
:
keep_rules_order = yes;
ipa(8) .
.
- . , ipa(8):
debug_ac_null - null (, 1);
:
debug_worktime = 1;
debug {
debug_limit_init = 1;
}
- worktime .
ipa.conf
( ipa -h, , )
ipa(8), ipactl(8), ipastat(8), ipastat.conf(5), ipa_mod(3)
Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
- , , , email.
16 2005 . IPA.CONF(5)
Man(1) output converted with
man2html