Date: Mon, 13 Jun 2005 13:35:12 -0400 From: Josh Kayse <josh.kayse@gmail.com> To: Greg Hennessy <Greg.Hennessy@nviz.net> Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Carp Suppression Message-ID: <7c8f27920506131035841d5d0@mail.gmail.com> In-Reply-To: <20050613165202.51063DA@gw2.local.net> References: <7c8f2792050613090040c924c3@mail.gmail.com> <20050613165202.51063DA@gw2.local.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/13/05, Greg Hennessy <Greg.Hennessy@nviz.net> wrote: > > > The reason we are using CARP on a PLIP interface is to allow > > us to have redundant connections between 2 transparent > > bridging firewalls. > > CARP is not going to work with a layer 2 firewall. It's running over the PLIP interface and the crossover cable. ifstated will change the advskew of the carp interfaces if one of the bridging interfaces goes down. > > > Instead of sending packets over our network, we isolate them > > onto a PLIP interface and crossover interface. > > That not going to work on a point to point connection, the other party > cannot see the carp traffic. > never mind the overhead that running plip puts on a system, a length of > baling twine would make for a better physical transport. Both firewalls can see the carp information over the PLIP connection, so I assume it works. And it wasn't my choice to use the plip interface. > > > We then use > > ifstaded to monitor the carp interfaces and shut down > > bridging on one of the machines. > > Spanning tree is a no brainer for such a setup, pfsync takes care of the > rest. > We did not want to go with STP because it would not be a self contained solution. Now we can use these firewalls anywhere without having to modify any routers, just plug them in inline and it is set. We also wanted to stick with FreeBSD because we have a knowledgebase already set up for it and we know how to use it. Unfortunately, there is no support for STP in freebsd bridging. Yes, I had already looked into using pfsync and STP, we also considered just using scripts. Anyway, I don't want to try and defend myself on our setup. We have everything working now and I just wanted to let others know how they could use carp over PLIP if they so needed to. > http://www.seattlecentral.edu/~dmartin/docs/bridge.html > > > > Greg > > > > > > I will refrain from submitting any code to the community in > > the future. > > > > On 6/13/05, Yar Tikhiy <yar@comp.chem.msu.su> wrote: > > > On Mon, Jun 13, 2005 at 10:10:54AM -0400, Josh Kayse wrote: > > > > One last comment, > > > > > > > > I managed to fix it so that carp runs on the plip > > interface by adding: > > > > ifp->if_flags = LINK_STATE_UP; > > > > > > > > Here is the diff: > > > > > > > > diff -Nur /usr.orig/src/sys/dev/ppbus/if_plip.c > > /usr/src/sys/dev/ppbus/if_plip.c > > > > --- /usr.orig/src/sys/dev/ppbus/if_plip.c Wed Sep > > 15 11:14:18 2004 > > > > +++ /usr/src/sys/dev/ppbus/if_plip.c Mon Jun 13 10:05:56 2005 > > > > @@ -359,6 +359,7 @@ > > > > > > > > ppb_wctr(ppbus, IRQENABLE); > > > > ifp->if_flags |= IFF_RUNNING; > > > > + ifp->if_flags = LINK_STATE_UP; > > > > } > > > > break; > > > > > > I'm afraid you're totally wrong here. > > > > > > First, I can't see how CARP is supposed to work on a PLIP > > interface or > > > any point-to-point interface at all. CARP is for broadcast > > > interfaces, such as Ethernet or FDDI, which do ARP. You > > seem to miss > > > the point. > > > > > > Second, you can't store an arbitrary value into a variable or field > > > and expect the things to work right. LINK_STATE_UP simply > > is not for > > > ifp->if_flags. Please make yourself familiar with the basics of > > > computer programming before offering your patches to the community. > > > > > > -- > > > Yar > > > > > > > > > -- > > Joshua Kayse > > Computer Engineering > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Joshua Kayse Computer Engineering
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7c8f27920506131035841d5d0>