From owner-freebsd-pf@FreeBSD.ORG Wed Jun 15 18:32:20 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E47D816A41C for ; Wed, 15 Jun 2005 18:32:20 +0000 (GMT) (envelope-from josh.kayse@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 950DC43D1D for ; Wed, 15 Jun 2005 18:32:20 +0000 (GMT) (envelope-from josh.kayse@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1860388wra for ; Wed, 15 Jun 2005 11:32:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LzzoEhFQavuGtifZvCEWZuL+0xDy2RskM8qoeZ5ixOmBdFn57GM1ip5p335Kcn7wf4hRS0t5pGKCODkOan2D392rP5zt2UaRe/PCXje+8qjqASpL12bYE+MXwF3IqKDdx1T+RgytK1TmjsKn84UG9gzHJCNOeLUp2/9bq5mG2cU= Received: by 10.54.101.10 with SMTP id y10mr28149wrb; Wed, 15 Jun 2005 11:32:19 -0700 (PDT) Received: by 10.54.23.52 with HTTP; Wed, 15 Jun 2005 11:32:19 -0700 (PDT) Message-ID: <7c8f27920506151132670c035@mail.gmail.com> Date: Wed, 15 Jun 2005 14:32:19 -0400 From: Josh Kayse To: Gleb Smirnoff , Yar Tikhiy , freebsd-net@freebsd.org, freebsd-pf@freebsd.org In-Reply-To: <20050615143919.GE8060@cell.sick.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <7c8f2792050610090049064e11@mail.gmail.com> <7c8f279205061116021f55e8da@mail.gmail.com> <7c8f279205061307103b1782f4@mail.gmail.com> <20050613153550.GA54388@comp.chem.msu.su> <7c8f2792050613090040c924c3@mail.gmail.com> <20050615143919.GE8060@cell.sick.ru> Cc: Subject: Re: Carp Suppression X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: gtg062h@mail.gatech.edu List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2005 18:32:21 -0000 On 6/15/05, Gleb Smirnoff wrote: =20 > AFAIU, you use PLIP line as some flag that triggers suppression. If > slave "sees" master via PLIP, it keeps itself in slave mode. May be > I don't understand you right. >=20 > Although the idea is not officially supported, it is interesting. Can you > please draw your setup, since I don't understand it clearly? >=20 __________ em0 | |em1 ------------| FW1 |----------- |_________| xl0(carp0)| | plip0(carp1) ___|___|___ em0 | | em1 -----------| FW2 |---------- |__________| Bridging is done through em0/em1 which are both monitored by ifstated for link state only (backported patch from HEAD). When one of the bridging ports is disconnected, ifstaded changes the advskew of carp0 and carp1 to 254 so that the carp interfaces failover. When ifstated see the carp interfaces as BOTH master, the slave firewall takes over bridging. This gives us redundant firewalls, with redundant heartbeat connections. > Bringing link state support for p2p interfaces is a TODO, although > CARP is not going to be supported on p2p interfaces officially. >=20 > J> I will refrain from submitting any code to the community in the future= . >=20 > Why? I was just grumpy, we had just expanded server room and everything broke, etc etc. Don't mind me at all. If you have any other questions, just let me know. PS. I stink at ascii drawings. --=20 Joshua Kayse Computer Engineering