From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 21:36:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D76DA16A47B for ; Fri, 20 Jul 2007 21:36:33 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp814.mail.ird.yahoo.com (smtp814.mail.ird.yahoo.com [217.146.188.74]) by mx1.freebsd.org (Postfix) with SMTP id 4E7E013C47E for ; Fri, 20 Jul 2007 21:36:32 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 25242 invoked from network); 20 Jul 2007 21:09:52 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@86.140.28.215 with plain) by smtp814.mail.ird.yahoo.com with SMTP; 20 Jul 2007 21:09:52 -0000 X-YMail-OSG: XdZHeREVM1ldX10kCWO4bYNSh_U1trHcVpm2OcDR3xrK0wfW Message-ID: <46A132F9.9020208@tomjudge.com> Date: Fri, 20 Jul 2007 23:11:05 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: Alexandre Biancalana References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <867iow7rwk.fsf@zid.claresco.hr> <8e10486b0707191950s2ffd4e89q7484181acba745be@mail.gmail.com> <866fa9520707200813s7938bdbdjdfb57c87dd23e268@mail.gmail.com> <20070720173722.GB12522@verio.net> <8e10486b0707201254j4eece5dq55c1afa838a3092@mail.gmail.com> In-Reply-To: <8e10486b0707201254j4eece5dq55c1afa838a3092@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 21:36:33 -0000 Alexandre Biancalana wrote: > On 7/20/07, David DeSimone wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> That is OpenBSD's documentation you are referring to, but this is >> FreeBSD we are talking about. The implementation is not the same. >> >> In order for CARP to be effective, it must send out hello packets on a >> particular interface. Under OpenBSD, I believe there is a "carpdev" >> option for ifconfig, which allows you to set the interface explicitly. >> However, FreeBSD's implementation (at least in 6.x where I'm familiar >> with it) is missing that option. Instead, the interface is chosen by >> matching the IP address of the carp interface to the same subnet as the >> physical interface. >> >> In a case where your ISP has only assigned a single IP address to you, >> you cannot (legally) assign a pair of addresses to your firewalls and >> then assign a third IP to CARP in order to have it bind correctly to >> the external interface. Under OpenBSD, you could assign private RFC1918 >> addresses to the external interfaces, and use "carpdev" to assign a >> virtual public IP, but it seems that is not possible with FreeBSD. >> >> If I am wrong, I hope that someone will correct my understanding. > > > Exactly this! Want I want to know is if exists some alternative way to > configure this.... Well after reading [RELENG_6_2]sys/netinet/ip_carp.c (carp_set_addr) I have found the code that is used to look up the interface the key part is this block: ia_if = NULL; own = 0; TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link) { /* and, yeah, we need a multicast-capable iface too */ if (ia->ia_ifp != SC2IFP(sc) && (ia->ia_ifp->if_flags & IFF_MULTICAST) && (iaddr & ia->ia_subnetmask) == ia->ia_subnet) { if (!ia_if) ia_if = ia; if (sin->sin_addr.s_addr == ia->ia_addr.sin_addr.s_addr) own++; } } This is the first stage of finding the carp_softc->sc_carpdev device. It doesn't look like it would take too much to add a carpdev option to ifconfig and fall back to the existing code if no carpdev is specified. I may try and have a look at this over the weekend, it looks like an interesting first challenge. Tom