From owner-freebsd-net@FreeBSD.ORG Mon Jun 10 02:54:50 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E2D2192B for ; Mon, 10 Jun 2013 02:54:50 +0000 (UTC) (envelope-from cameron@cskk.homeip.net) Received: from fallbackmx08.syd.optusnet.com.au (fallbackmx08.syd.optusnet.com.au [211.29.132.10]) by mx1.freebsd.org (Postfix) with ESMTP id D646E16C9 for ; Mon, 10 Jun 2013 02:54:49 +0000 (UTC) Received: from mail05.syd.optusnet.com.au (mail05.syd.optusnet.com.au [211.29.132.186]) by fallbackmx08.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id r5A2slMF001003 for ; Mon, 10 Jun 2013 12:54:47 +1000 Received: from fleet.local (c58-111-137-54.artrmn3.nsw.optusnet.com.au [58.111.137.54]) by mail05.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id r5A2sUkW007984; Mon, 10 Jun 2013 12:54:34 +1000 Received: by fleet.local (Postfix, from userid 501) id 5FBEE17EE8FB; Mon, 10 Jun 2013 12:54:30 +1000 (EST) Date: Mon, 10 Jun 2013 12:54:30 +1000 From: Cameron Simpson To: "Eugene M. Zheganin" Subject: Re: carp regression in 9.1 ? Message-ID: <20130610025430.GA96587@cskk.homeip.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5146F61E.3040601@norma.perm.ru> User-Agent: Mutt/1.5.21 (2010-09-15) References: <5146F61E.3040601@norma.perm.ru> X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.0 cv=eqSHVfVX c=1 sm=1 a=wom5GMh1gUkA:10 a=YHY2GCjW0LAA:10 a=kj9zAlcOel0A:10 a=vrnE16BAAAAA:8 a=ZtCCktOnAAAA:8 a=p0Ne3OfIa3EA:10 a=xpbdh_wkAAAA:8 a=JvhO6gbiIPBkvyUUYV8A:9 a=CjuIK1q_8ugA:10 a=AFDxSQY23i2t3Ran:21 a=RM3kU3RuB6Q1OyE3:21 a=ChdAjXE5lkUvdteQbhpnkQ==:117 Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jun 2013 02:54:50 -0000 On 18Mar2013 17:10, Eugene M. Zheganin wrote: | This is of course up to you to decide, but I feel like I should | encourage you - 10.x isn't that scarry as it seems to be. I also run | it on a production (though my production may be not as harsh as | yours) [...] | At least, after upgrade from 9.1-STABLE to a random -CURRENT I | didn't notice any degradation, only improvements. I had all of your | fears right before the upgrade, none of it became real. I'm looking at putting in a 9.1 FreeBSD as a new firewall soon and have only just discovered this possible CARP regression. Can someone inform me on the following questions: - does simple CARP (one address) work? - if I do not destroy and recreate CARP interfaces, does it work? - if I want to try 10.x, is it enough to build a 10.x kernel and boot that without making changes to userland? The partner firewall is running FreeBSD 8.1 and will be staying that way for a while. Finally, out of interest, does 10.x address a bug I found (but have not yet written up and reported, alas) to do with how CARP chooses the physical interface for its packets? We did some debugging on a longstanding problem we had in January, and it appears that CARP is choosing the physical interface naively: just checking if the CARP address is in the network and not consulting the netmask. It should be doing as the IP routing code does, but it does not. We have a /25 with a smaller subnet of it on our exterior link and another subnet on an internal DMZ; the main LAN runs the wider /25. All perfectly sane, but CARP's choice of interface for a given address is subject to hardware order; leaving aside CARP choosing the wrong iterface outright, the machines are not physically identical and therefore CARP can pick different physical networks on each machine, causing neither side to see the peer and both sides to go MASTER. A cursor read of the carp code later seemed to support what out testing with tcpdump showed. Cheers, -- Cameron Simpson