packet loss with carp on 6.2

Klavs Klavsen kl at vsen.dk
Thu Oct 18 05:11:47 PDT 2007


On Thu, October 18, 2007 12:50, Max Laier said:
> On Thursday 18 October 2007, Klavs Klavsen wrote:
>> I tried to just disable carp on the new machine (simply comment out
>> carp config from /etc/rc.conf.local) and now the packet loss is gone -
>> and hasn't been there for half an hour, so far.
>
> I supposed you also had to change your firewall rules?  Otherwise your
> ruleset might not be ready to deal with carp and that could be the reason
> why you get the bad results?

I added these rules:
# Allow pfsync Updates In/Out
pass quick on $if_mgmt proto pfsync keep state

# Allow CARP Advertisements In/Out
pass quick on {$if_mgmt, $if_fwnet, $if_inet} proto carp keep state

I wasn't running any performance tests or anything - just normal traffic.

also - I had an "pass log on $if_XX all" enabled - which matches all the
traffic that wasn't specifically matched (ie. expected) traffic.

And no backup CARP host running - but I don't see why, NOT having the
spare CARP host up, should cause a packet loss.

>Start debugging by looking at "netstat -ssp
> carp" on either machine and take a careful look at your pf.conf.  I also
> suggest that you add "log" to all you block rules and watch tcpdump on
> pflog0 while pinging.
>
I just looked through the pflog file (26MB for 55 minutes) - primarily
passes - only 14 k. blocks. The blocks were broadcasts, and cisco hsrp
stuff  (and pfsync, until I just "allowed it for all - as above" - but
since the secondary host wasn't up - pfsync wouldn't work anyways).

>> Seems the carp network interfaces has bugs.
>
> That's a pretty bold assertion given the limited debugging you have
> done ;)
>
fair enough - I said "it seems" :)

I see no obvious explanation though, why using a carp interface, vs. a
normal interface, would somehow give me a packet loss. if a block/pass
rule somehow did not match the packages through the new interfaces, I'd
expect to get a 100% packet loss :)

-- 
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8  B8DA 3D3A 0B79 7E06 3C62

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer



More information about the freebsd-net mailing list