Date: Tue, 21 Feb 2012 12:51:34 +0100 From: Damien Fleuriot <ml@my.gd> To: peter knezel <peter.knezel@gmail.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: From analysis of a simple ifstated.conf to more compex example Message-ID: <4F438546.7080101@my.gd> In-Reply-To: <CAAwfu_kxAyXdsoeZAh8MFdncgTULrgzxnL9qAz_8R=ERyg1t8A@mail.gmail.com> References: <CAAwfu_n%2BVjgeihzWRa1F6v6PhCA943sFHR7eFxA1Ycc8NbjXpQ@mail.gmail.com> <4F314AFB.8080901@my.gd> <CAAwfu_kfj2mqT9qVSh2_9LpfcvOrxBJiwNRi_x79VcjGQLwGqw@mail.gmail.com> <4F3BEA73.9060005@my.gd> <CAAwfu_=5-t0=C2_2ZeK5cf3N-e5_%2BiZPGLPk9S-Tks78sKpVYA@mail.gmail.com> <4F3CC11D.1080105@my.gd> <CAAwfu_=OPqKpPxRvmf3gByq3Zqdm3DY52KvEA%2BNwOXQxJnkNGg@mail.gmail.com> <DAC13949-407E-400A-B5BD-489CE800A380@my.gd> <CAAwfu_npYupCO6KqHQ4RGGrDeCaR4A3B-zyeXdY=6_czGfj-gQ@mail.gmail.com> <4F4377C9.5090804@my.gd> <CAAwfu_kxAyXdsoeZAh8MFdncgTULrgzxnL9qAz_8R=ERyg1t8A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes, that would enormously simplify your ifstated setup.
I encourage you to try with a single interface and multiple IPs on it.
Be careful to use /32 netmasks for your aliased IPs, people have run
into trouble for using longer prefixes, like /24 for example.
Also be careful when adding/removing IPs to the carp interfaces.
If you don't have exactly the same IPs on both carp interfaces (server A
and server B), then the hosts will consider them to be different CARP
instances and they'll be MASTER on both firewalls.
You don't want this, obviously.
On 2/21/12 12:23 PM, peter knezel wrote:
> Thanks Damien for the example.
> In this case when I have only one carp interface, it is much easier to
> define the states
> in ifstated, isn't? It is either up or not and no other states are
> needed to check.
>
> Regards,
>
> Peter
>
> On 21/02/2012, Damien Fleuriot <ml@my.gd> wrote:
>> Yes, I do mean you can have several IPs on a single CARP interface, see
>> the example below:
>>
>> carp17: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
>> inet 46.182.41.72 netmask 0xffffffff
>> inet 46.182.41.76 netmask 0xffffffff
>> inet 46.182.41.77 netmask 0xffffffff
>> inet 46.182.41.78 netmask 0xffffffff
>> inet 46.182.41.79 netmask 0xffffffff
>> inet 46.182.41.80 netmask 0xffffffff
>> inet 46.182.41.81 netmask 0xffffffff
>> inet 46.182.41.82 netmask 0xffffffff
>> inet 46.182.41.83 netmask 0xffffffff
>> carp: MASTER vhid 117 advbase 1 advskew 100
>>
>>
>>
>> See the rc.conf bit where I set the IPs:
>> # WAN CARP
>> ipv4_addrs_carp17="46.182.41.72/32 46.182.41.76/32 46.182.41.77/32
>> 46.182.41.78/32 46.182.41.79/32 46.182.41.80/32 46.182.41.81/32
>> 46.182.41.82/32 46.182.41.83/32"
>> ifconfig_carp17="vhid 117 pass [removed] advskew 100"
>>
>>
>>
>> Regarding dedicating a given IP to a given service, you are supposed to
>> do that in the service's configuration, when telling it which IP address
>> to bind to.
>>
>> You can also use pf or ipfw to filter the services allowed on a given IP.
>>
>>
>> On 2/21/12 11:48 AM, peter knezel wrote:
>>> Do ypu mean that only carp0 is defined on both servers and it has
>>> three different IPs?
>>> How is it possible to define them so they are set for ftp, tftp and
>>> scp separately for the defined IPs?
>>>
>>> Kind regards,
>>>
>>> Peter
>>>
>>> On 21/02/2012, Damien Fleuriot <ml@my.gd> wrote:
>>>> To be honest, I'm not sure it's a good idea to use different
>>>> *interfaces*.
>>>>
>>>> Why don't you set multiple IPs on a single carp interface instead ?
>>>>
>>>> On 21 Feb 2012, at 08:29, peter knezel <peter.knezel@gmail.com> wrote:
>>>>
>>>>> Hello Damien,
>>>>>
>>>>> preemption is set on both systems, so when master server goes down or
>>>>> any CARP interface on master
>>>>> goes down, slave becomes master (but only on the CARP interface if
>>>>> only that went down).
>>>>>
>>>>> Can you have a look at my previous question??:
>>>>> if the different carp interfaces
>>>>> are used for different purpose (ftp, tftp, scp), is it a good idea to
>>>>> put down all of them, if they are able to serve their purpose?
>>>>>
>>>>>
>>>>> Thanks and kind regards,
>>>>>
>>>>> Peter
>>>>>
>>>>> On 16/02/2012, Damien Fleuriot <ml@my.gd> wrote:
>>>>>> Preemption is used to ensure that, if a CARP interface goes down on
>>>>>> host
>>>>>> A, host B will then assume mastership for all interfaces.
>>>>>>
>>>>>> It prevents the nasty situation where you'd have, for example:
>>>>>>
>>>>>> Public IP: master on host A
>>>>>> Private IP: master on host B
>>>>>>
>>>>>> servers behind firewalls hosts A and B:
>>>>>> - traffic arrives on host A which creates a PF state
>>>>>> - servers reply via their default gateway, the CARP IP now master on
>>>>>> host
>>>>>> B
>>>>>>
>>>>>> Host B doesn't have a state for the traffic, drops it.
>>>>>>
>>>>>>
>>>>>> To enable preemption you need to run sysctl net.inet.carp.preempt=1 and
>>>>>> add the corresponding line to your sysctls file in etc.
>>>>>>
>>>>>>
>>>>>> On 2/15/12 7:04 PM, peter knezel wrote:
>>>>>>> Well,
>>>>>>>
>>>>>>> I am not fully familiar with CARP, but if the different carp
>>>>>>> interfaces
>>>>>>> are used for different purpose (ftp, tftp, scp), is it a good idea to
>>>>>>> put down all of them, if they are able to serve their purpose?
>>>>>>>
>>>>>>> BTW, what is CARP preemption and how is it possible to enable it?
>>>>>>>
>>>>>>> Kind regards,
>>>>>>>
>>>>>>> Peter
>>>>>>>
>>>>>>> On 15 February 2012 18:25, Damien Fleuriot <ml@my.gd
>>>>>>> <mailto:ml@my.gd>>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Sorry about the late reply, didn't see yours.
>>>>>>>
>>>>>>> What about enabling CARP preemption to ensure that when a carp
>>>>>>> interface
>>>>>>> goes down, the whole set does ?
>>>>>>>
>>>>>>>
>>>>>>> On 2/7/12 9:13 PM, peter knezel wrote:
>>>>>>>> Hello Damien,
>>>>>>>>
>>>>>>>> I did read your example but cannot get idea from it.
>>>>>>>> For three interfaces you have much more possibilities.
>>>>>>>>
>>>>>>>> Imagine you start the server from uuu state which is equal to
>>>>>>>> net = '( "ifconfig -a -u |grep carp0 > /dev/null" every 3 &&
>>>>>>> "ifconfig -a -u
>>>>>>>> |grep carp1 > /dev/null" every 3 && "ifconfig -a -u |grep carp2 >
>>>>>>> /dev/null"
>>>>>>>> every 3)'
>>>>>>>>
>>>>>>>> Now you put down one carp interface - so system is in state :
>>>>>>>> *state one:*
>>>>>>>> (duu) || (udu) || (uud) <----which is same as !$net
>>>>>>>> run script1.sh
>>>>>>>> go to twoff
>>>>>>>>
>>>>>>>> now imagine, you put down any other carp interface:
>>>>>>>> *state twoff: *
>>>>>>>> (dud) || (ddu) || (udd)
>>>>>>>> run script2.sh
>>>>>>>> go to two
>>>>>>>>
>>>>>>>> *state two: *
>>>>>>>> put all interfaces up
>>>>>>>> run script3.sh
>>>>>>>> go to state one
>>>>>>>>
>>>>>>>> it means, this is one of the possibilities system can behave (this
>>>>>>>> situation does not describe all possible states - I have taken this
>>>>>>>> special example.)
>>>>>>>>
>>>>>>>> Now if you want to put up after putting down one carp interface, you
>>>>>>>> fail since it is in state twoff.
>>>>>>>> Only of you put down second carp interface it goes to state two and
>>>>>>> if
>>>>>>>> you put both up, it will go to state one.
>>>>>>>>
>>>>>>>> This is where my ifstated.conf fails to work.
>>>>>>>>
>>>>>>>> Kind regards,
>>>>>>>>
>>>>>>>> Peter Knezel
>>>>>>>>
>>>>>>>>
>>>>>>>> On 7 February 2012 17:02, Damien Fleuriot <ml@my.gd
>>>>>>> <mailto:ml@my.gd> <mailto:ml@my.gd <mailto:ml@my.gd>>>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> On 2/7/12 3:36 PM, peter knezel wrote:
>>>>>>>>> Hello all,
>>>>>>>>>
>>>>>>>>> I would like to ask somebody to explain me how the ifstated
>>>>>>> works
>>>>>>>> according to
>>>>>>>>> the following configuration file.
>>>>>>>>> I have three virtual carp interfaces carp0,carp1 and carp2.
>>>>>>>>>
>>>>>>>>> I try to understand the following setting:
>>>>>>>>> The server is in state one (all carp interfaces are up) and
>>>>>>> if there
>>>>>>>>> is carp down of any:
>>>>>>>>> one (carp0 or carp1 or carp2),
>>>>>>>>> two ([carp0 and carp1] or [carp0 and carp2] or [carp1 and
>>>>>>> carp2]),
>>>>>>>>> three interfaces (carp 0 and carp1 and carp2), server
>>>>>>>>> runs the script testdown.sh and put the server into state two.
>>>>>>>>> If all carp interfaces are up, the server runs the testup.sh
>>>>>>> and set
>>>>>>>>> the state to one.
>>>>>>>>>
>>>>>>>>
>>>>>>>> That is my understanding.
>>>>>>>>
>>>>>>>>
>>>>>>>>> Is it the way the system works?
>>>>>>>>> Or am I wrong?
>>>>>>>>>
>>>>>>>>> ===
>>>>>>>>> init-state one
>>>>>>>>>
>>>>>>>>> net = '( "ifconfig -a -u |grep carp0 > /dev/null" every 3 &&
>>>>>>>> "ifconfig -a -u
>>>>>>>>> |grep carp1 > /dev/null" every 3 && "ifconfig -a -u |grep
>>>>>>> carp2 >
>>>>>>>> /dev/null"
>>>>>>>>> every 3)'
>>>>>>>>>
>>>>>>>>> state one {
>>>>>>>>> if ( ! $net ) {
>>>>>>>>> run "/usr/local/testdown.sh"
>>>>>>>>> set-state two
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> state two {
>>>>>>>>> if ( $net ) {
>>>>>>>>> run "/usr/local/testup.sh"
>>>>>>>>> set-state one
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>> ===
>>>>>>>>>
>>>>>>>>> Is there any possibility to define and set ifstated.conf that
>>>>>>>> reacts when:
>>>>>>>>>
>>>>>>>>> any one of the carp interfaces is down - followed by
>>>>>>> another any
>>>>>>>>> other carp interface down
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I tried to define states:
>>>>>>>>>
>>>>>>>>> duu ="!carp0.link.up && carp1.link.up && carp2.link.up"
>>>>>>>>> udu ="carp0.link.up && !carp1.link.up && carp2.link.up"
>>>>>>>>> uud ="carp0.link.up && carp1.link.up && !carp2.link.up"
>>>>>>>>> ddu ="!carp0.link.up && !carp1.link.up"
>>>>>>>>> dud ="!carp0.link.up && !carp2.link.up"
>>>>>>>>> udd ="!carp1.link.up && !carp2.link.up"
>>>>>>>>>
>>>>>>>>> and used them but somehow I cannot incorporate all state
>>>>>>> changes and
>>>>>>>>> include it in ifstated.conf.
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Works fine here, did you not have any luck with the file I
>>>>>>> posted
>>>>>>>> earlier ?
>>>>>>>> _______________________________________________
>>>>>>>> freebsd-questions@freebsd.org
>>>>>>> <mailto:freebsd-questions@freebsd.org>
>>>>>>> <mailto:freebsd-questions@freebsd.org
>>>>>>> <mailto:freebsd-questions@freebsd.org>>
>>>>>>>> mailing list
>>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>>>>>> To unsubscribe, send any mail to
>>>>>>>> "freebsd-questions-unsubscribe@freebsd.org
>>>>>>> <mailto:freebsd-questions-unsubscribe@freebsd.org>
>>>>>>>> <mailto:freebsd-questions-unsubscribe@freebsd.org
>>>>>>> <mailto:freebsd-questions-unsubscribe@freebsd.org>>"
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F438546.7080101>