From owner-freebsd-pf@FreeBSD.ORG Thu Jun 16 15:14:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85F5E16A41C; Thu, 16 Jun 2005 15:14:28 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id D336F43D4C; Thu, 16 Jun 2005 15:14:27 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j5GFEPEh042224; Thu, 16 Jun 2005 19:14:25 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j5GFEPEm042223; Thu, 16 Jun 2005 19:14:25 +0400 (MSD) (envelope-from yar) Date: Thu, 16 Jun 2005 19:14:24 +0400 From: Yar Tikhiy To: Josh Kayse Message-ID: <20050616151424.GA40160@comp.chem.msu.su> References: <7c8f2792050610090049064e11@mail.gmail.com> <7c8f279205061116021f55e8da@mail.gmail.com> <7c8f279205061307103b1782f4@mail.gmail.com> <20050613153550.GA54388@comp.chem.msu.su> <7c8f2792050613090040c924c3@mail.gmail.com> <20050615143919.GE8060@cell.sick.ru> <7c8f27920506151132670c035@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7c8f27920506151132670c035@mail.gmail.com> User-Agent: Mutt/1.5.9i Cc: freebsd-net@freebsd.org, Gleb Smirnoff , freebsd-pf@freebsd.org Subject: Re: Carp Suppression X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2005 15:14:28 -0000 On Wed, Jun 15, 2005 at 02:32:19PM -0400, Josh Kayse wrote: > On 6/15/05, Gleb Smirnoff wrote: > > > AFAIU, you use PLIP line as some flag that triggers suppression. If > > slave "sees" master via PLIP, it keeps itself in slave mode. May be > > I don't understand you right. > > > > Although the idea is not officially supported, it is interesting. Can you > > please draw your setup, since I don't understand it clearly? > > > __________ > em0 | |em1 > ------------| FW1 |----------- > |_________| > xl0(carp0)| | plip0(carp1) > ___|___|___ > em0 | | em1 > -----------| FW2 |---------- > |__________| > > > Bridging is done through em0/em1 which are both monitored by ifstated > for link state only (backported patch from HEAD). > > When one of the bridging ports is disconnected, ifstaded changes the > advskew of carp0 and carp1 to 254 so that the carp interfaces > failover. > > When ifstated see the carp interfaces as BOTH master, the slave > firewall takes over bridging. > > This gives us redundant firewalls, with redundant heartbeat connections. In fact, not all network failures lead to detectable link loss. I can imagine a situation when the switch port FW1-em0 is connected to just hangs and so FW1 is unable to notice the event. If CARP ran on the em0 side of FW1 and FW2, they would notice such an event though due to CARP packets unable to flow between FW1-em0 and FW2-em0 any longer. The advantage of CARP used customarily and not on a separate "heartbeat" interface is that it provides active detection of failures on the very network that should be made fail-safe. -- Yar