Hi!
On 02/29/12 19:16, Marios Makassikis wrote:
A last test prior to posting got me the following results:
The pf.conf file contained this rule at the top:
block quick log inet proto carp
And CARP was effectively blocked. Changing the 'block' to 'pass' allowed
the packets to flow, as expected. Changing it back again to block has no
effect.
I must confess i didnt grasp everything about your setup but this part
remindid me of the time i was perplexed about something similar. And my
line of thought was then like this
1. test with block rule blocks carp packets
2. test with pass rule passes carp packets, states are created
3. new test with block rule seems to take no effect because packet
filter runs stateful and carp packets are passed thru based on states as
they should
I believe you can control this behaviour how you load new rules i.e. you
could flush states first. You could follow states in effect with systat,
pftop, and of course with pfctl.
Imre
PS Using carp you must be attentive which node actually emits carp
packets and which one is silent.
