Re: Single IP failover without carpdev

Fri, 20 Jul 2007 14:36:38 -0700 

Alexandre Biancalana wrote:

On 7/20/07, David DeSimone <[EMAIL PROTECTED]> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
That is OpenBSD's documentation you are referring to, but this is
FreeBSD we are talking about.  The implementation is not the same.

In order for CARP to be effective, it must send out hello packets on a
particular interface.  Under OpenBSD, I believe there is a "carpdev"
option for ifconfig, which allows you to set the interface explicitly.
However, FreeBSD's implementation (at least in 6.x where I'm familiar
with it) is missing that option.  Instead, the interface is chosen by
matching the IP address of the carp interface to the same subnet as the
physical interface.

In a case where your ISP has only assigned a single IP address to you,
you cannot (legally) assign a pair of addresses to your firewalls and
then assign a third IP to CARP in order to have it bind correctly to
the external interface.  Under OpenBSD, you could assign private RFC1918
addresses to the external interfaces, and use "carpdev" to assign a
virtual public IP, but it seems that is not possible with FreeBSD.

If I am wrong, I hope that someone will correct my understanding.



Exactly this! Want I want to know is if exists some alternative way to
configure this....




Well after reading [RELENG_6_2]sys/netinet/ip_carp.c (carp_set_addr) I 
have found the code that is used to look up the interface the key part 
is this block:


    ia_if = NULL; own = 0;
    TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link) {
        /* and, yeah, we need a multicast-capable iface too */
        if (ia->ia_ifp != SC2IFP(sc) &&
            (ia->ia_ifp->if_flags & IFF_MULTICAST) &&
            (iaddr & ia->ia_subnetmask) == ia->ia_subnet) {
            if (!ia_if)
                ia_if = ia;
            if (sin->sin_addr.s_addr ==
                ia->ia_addr.sin_addr.s_addr)
                own++;
        }
    }


This is the first stage of finding the carp_softc->sc_carpdev device. 
It doesn't look like it would take too much to add a carpdev option to 
ifconfig and fall back to the existing code if no carpdev is specified.



I may try and have a look at this over the weekend, it looks like an 
interesting first challenge.


Tom
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to