>>> Marco Pfatschbacher <m...@mailq.de> 27.07.2009 11:35 >>> >Hmm,
>are you sure this is happening with OpenBSD? >We solved that problem almost two years ago. >Dunno if FreeBSD merged any of these changes... > > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?f=h#rev1.152 The patch from Matthew is working under FreeBSD, but after the installation from FreeBSD we found out that load balancing / carpnodes are not supported. So we can not test same scenario under FreeBSD. I've also tried to patch OpenBSD without luck. I've attached a picture: http://www.abload.de/image.php?img=carpicpb.jpg fw0-ext: -------------- em0: WAN em1: inet 10.25.0.3 255.255.255.0 NONE carp0: inet 10.25.0.15 255.255.255.0 10.25.0.255 balancing ip carpnodes 1:100,2:0 pass password !/sbin/route add 172.25.0.0/20 10.25.0.105 em2: pfsync0 fw1-ext: -------------- em0: WAN em1: inet 10.25.0.4 255.255.255.0 NONE carp0: inet 10.25.0.5 255.255.255.0 10.25.0.255 balancing ip carpnodes 1:0,2:100 pass password !/sbin/route add 172.25.0.0/20 10.25.0.105 em2: pfsync0 fw0-int: -------------- em0: inet 10.25.0.103 255.255.255.0 NONE em1: inet 172.25.0.3 255.255.240.0 NONE em2: pfsync0 carp0: inet 10.25.0.105 255.255.255.0 10.25.0.255 balancing ip carpnodes 5:0,6:100 pass password carp1 inet 172.25.0.5 255.255.240.0 172.25.15.255 balancing ip carpnodes 7:0,8:100 pass password fw1-int: -------------- em0: inet 10.25.0.104 255.255.255.0 NONE em1: inet 172.25.0.4 255.255.240.0 NONE em2: pfsync0 carp0: inet 10.25.0.105 255.255.255.0 10.25.0.255 balancing ip carpnodes 5:100,6:0 pass password carp1 inet 172.25.0.5 255.255.240.0 172.25.15.255 balancing ip carpnodes 7:100,8:0 pass password ping from dmz to lan: only requests (on lan site) ping from lan to dmz: only reply's (on lan site) ping from external firewalls to lan: only from one firewall not from both at the same time If we set the route "route add 172.25.0.0/20 10.25.0.105" on em1 instead of carp0, the clients will be flooded. 1 Ping = ~ 8000 ICMP Requests. So what is the problem here ? > On Mon, Jul 27, 2009 at 09:09:27AM +0200, Vadim Korschok wrote: > The mailinglist script droped the attachment from Matthew (esx-carp.diff): > > Index: ip_carp.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_carp.c,v > retrieving revision 1.52.2.3 > diff -u -r1.52.2.3 ip_carp.c > --- ip_carp.c 9 May 2009 00:35:38 -0000 1.52.2.3 > +++ ip_carp.c 26 Jul 2009 16:53:24 -0000 > @@ -143,6 +143,8 @@ > &carp_opts[CARPCTL_LOG], 0, "log bad carp packets"); > SYSCTL_INT(_net_inet_carp, CARPCTL_ARPBALANCE, arpbalance, CTLFLAG_RW, > &carp_opts[CARPCTL_ARPBALANCE], 0, "balance arp responses"); > +SYSCTL_INT(_net_inet_carp, CARPCTL_DROPECHOED, drop_echoed, CTLFLAG_RW, > + &carp_opts[CARPCTL_DROPECHOED], 0, "drop packets echoed to sender"); > SYSCTL_INT(_net_inet_carp, OID_AUTO, suppress_preempt, CTLFLAG_RD, > &carp_suppress_preempt, 0, "Preemption is suppressed"); > > @@ -552,6 +554,28 @@ > return; > } > > + /* > + * verify that the source address is not valid > + * for the interface it was received on. this > + * tends to happen with VMWare ESX vSwitches. > + */ > + if (carp_opts[CARPCTL_DROPECHOED]) { > + struct ifnet *ifp = m->m_pkthdr.rcvif; > + struct ifaddr *ifa; > + IF_ADDR_LOCK(ifp); > + TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list) { > + struct in_addr in4; > + in4 = ifatoia(ifa)->ia_addr.sin_addr; > + if (ifa->ifa_addr->sa_family == AF_INET && > + in4.s_addr == ip->ip_src.s_addr) { > + m_freem(m); > + IF_ADDR_UNLOCK(ifp); > + return; > + } > + } > + IF_ADDR_UNLOCK(ifp); > + } > + > /* verify that the IP TTL is 255. */ > if (ip->ip_ttl != CARP_DFLTTL) { > carpstats.carps_badttl++; > @@ -644,6 +668,28 @@ > return (IPPROTO_DONE); > } > > + /* > + * verify that the source address is not valid > + * for the interface it was received on. this > + * tends to happen with VMWare ESX vSwitches. > + */ > + if (carp_opts[CARPCTL_DROPECHOED]) { > + struct ifnet *ifp = m->m_pkthdr.rcvif; > + struct ifaddr *ifa; > + IF_ADDR_LOCK(ifp); > + TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list) { > + struct in6_addr in6; > + in6 = ifatoia6(ifa)->ia_addr.sin6_addr; > + if (ifa->ifa_addr->sa_family == AF_INET6 && > + memcmp(&in6, &ip6->ip6_src, sizeof(in6)) == 0) { > + m_freem(m); > + IF_ADDR_UNLOCK(ifp); > + return (IPPROTO_DONE); > + } > + } > + IF_ADDR_UNLOCK(ifp); > + } > + > /* verify that the IP TTL is 255 */ > if (ip6->ip6_hlim != CARP_DFLTTL) { > carpstats.carps_badttl++; > Index: ip_carp.h > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_carp.h,v > retrieving revision 1.3 > diff -u -r1.3 ip_carp.h > --- ip_carp.h 1 Dec 2006 18:37:41 -0000 1.3 > +++ ip_carp.h 26 Jul 2009 16:53:24 -0000 > @@ -1,4 +1,4 @@ > -/* $FreeBSD: src/sys/netinet/ip_carp.h,v 1.3 2006/12/01 18:37:41 imp Exp $ > */ > +/* $FreeBSD: src/sys/netinet/ip_carp.h,v 1.3.8.1 2009/04/15 03:14:26 kensmith > Exp $ */ > /* $OpenBSD: ip_carp.h,v 1.8 2004/07/29 22:12:15 mcbride Exp $ */ > > /* > @@ -140,7 +140,8 @@ > #define CARPCTL_LOG 3 /* log bad packets */ > #define CARPCTL_STATS 4 /* statistics (read-only) */ > #define CARPCTL_ARPBALANCE 5 /* balance arp responses */ > -#define CARPCTL_MAXID 6 > +#define CARPCTL_DROPECHOED 6 /* drop packets echoed to the > sender */ > +#define CARPCTL_MAXID 7 > > #define CARPCTL_NAMES { \ > { 0, 0 }, \
