Single IP failover without carpdev

Tom Judge tom at tomjudge.com
Fri Jul 20 21:36:33 UTC 2007


Alexandre Biancalana wrote:
> On 7/20/07, David DeSimone <fox at verio.net> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> That is OpenBSD's documentation you are referring to, but this is
>> FreeBSD we are talking about.  The implementation is not the same.
>>
>> In order for CARP to be effective, it must send out hello packets on a
>> particular interface.  Under OpenBSD, I believe there is a "carpdev"
>> option for ifconfig, which allows you to set the interface explicitly.
>> However, FreeBSD's implementation (at least in 6.x where I'm familiar
>> with it) is missing that option.  Instead, the interface is chosen by
>> matching the IP address of the carp interface to the same subnet as the
>> physical interface.
>>
>> In a case where your ISP has only assigned a single IP address to you,
>> you cannot (legally) assign a pair of addresses to your firewalls and
>> then assign a third IP to CARP in order to have it bind correctly to
>> the external interface.  Under OpenBSD, you could assign private RFC1918
>> addresses to the external interfaces, and use "carpdev" to assign a
>> virtual public IP, but it seems that is not possible with FreeBSD.
>>
>> If I am wrong, I hope that someone will correct my understanding.
> 
> 
> Exactly this! Want I want to know is if exists some alternative way to
> configure this....


Well after reading [RELENG_6_2]sys/netinet/ip_carp.c (carp_set_addr) I 
have found the code that is used to look up the interface the key part 
is this block:

     ia_if = NULL; own = 0;
     TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link) {
         /* and, yeah, we need a multicast-capable iface too */
         if (ia->ia_ifp != SC2IFP(sc) &&
             (ia->ia_ifp->if_flags & IFF_MULTICAST) &&
             (iaddr & ia->ia_subnetmask) == ia->ia_subnet) {
             if (!ia_if)
                 ia_if = ia;
             if (sin->sin_addr.s_addr ==
                 ia->ia_addr.sin_addr.s_addr)
                 own++;
         }
     }

This is the first stage of finding the carp_softc->sc_carpdev device. 
It doesn't look like it would take too much to add a carpdev option to 
ifconfig and fall back to the existing code if no carpdev is specified.

I may try and have a look at this over the weekend, it looks like an 
interesting first challenge.

Tom


More information about the freebsd-pf mailing list