Date: Thu, 18 Oct 2007 14:11:42 +0200 (CEST) From: "Klavs Klavsen" <kl@vsen.dk> To: "Max Laier" <max@love2party.net> Cc: freebsd-net@freebsd.org, Klavs Klavsen <kl@vsen.dk> Subject: Re: packet loss with carp on 6.2 Message-ID: <1270.62.242.232.132.1192709502.squirrel@www.enableit.dk>
next in thread | raw e-mail | index | archive | help
On Thu, October 18, 2007 12:50, Max Laier said:
> On Thursday 18 October 2007, Klavs Klavsen wrote:
>> I tried to just disable carp on the new machine (simply comment out
>> carp config from /etc/rc.conf.local) and now the packet loss is gone -
>> and hasn't been there for half an hour, so far.
>
> I supposed you also had to change your firewall rules? Otherwise your
> ruleset might not be ready to deal with carp and that could be the reason
> why you get the bad results?
I added these rules:
# Allow pfsync Updates In/Out
pass quick on $if_mgmt proto pfsync keep state
# Allow CARP Advertisements In/Out
pass quick on {$if_mgmt, $if_fwnet, $if_inet} proto carp keep state
I wasn't running any performance tests or anything - just normal traffic.
also - I had an "pass log on $if_XX all" enabled - which matches all the
traffic that wasn't specifically matched (ie. expected) traffic.
And no backup CARP host running - but I don't see why, NOT having the
spare CARP host up, should cause a packet loss.
>Start debugging by looking at "netstat -ssp
> carp" on either machine and take a careful look at your pf.conf. I also
> suggest that you add "log" to all you block rules and watch tcpdump on
> pflog0 while pinging.
>
I just looked through the pflog file (26MB for 55 minutes) - primarily
passes - only 14 k. blocks. The blocks were broadcasts, and cisco hsrp
stuff (and pfsync, until I just "allowed it for all - as above" - but
since the secondary host wasn't up - pfsync wouldn't work anyways).
>> Seems the carp network interfaces has bugs.
>
> That's a pretty bold assertion given the limited debugging you have
> done ;)
>
fair enough - I said "it seems" :)
I see no obvious explanation though, why using a carp interface, vs. a
normal interface, would somehow give me a packet loss. if a block/pass
rule somehow did not match the packages through the new interfaces, I'd
expect to get a 100% packet loss :)
--
Regards,
Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1270.62.242.232.132.1192709502.squirrel>