Carp Suppression
Josh Kayse
josh.kayse at gmail.com
Mon Jun 13 17:35:14 GMT 2005
On 6/13/05, Greg Hennessy <Greg.Hennessy at nviz.net> wrote:
>
> > The reason we are using CARP on a PLIP interface is to allow
> > us to have redundant connections between 2 transparent
> > bridging firewalls.
>
> CARP is not going to work with a layer 2 firewall.
It's running over the PLIP interface and the crossover cable.
ifstated will change the advskew of the carp interfaces if one of the
bridging interfaces goes down.
>
> > Instead of sending packets over our network, we isolate them
> > onto a PLIP interface and crossover interface.
>
> That not going to work on a point to point connection, the other party
> cannot see the carp traffic.
> never mind the overhead that running plip puts on a system, a length of
> baling twine would make for a better physical transport.
Both firewalls can see the carp information over the PLIP connection,
so I assume it works.
And it wasn't my choice to use the plip interface.
>
> > We then use
> > ifstaded to monitor the carp interfaces and shut down
> > bridging on one of the machines.
>
> Spanning tree is a no brainer for such a setup, pfsync takes care of the
> rest.
>
We did not want to go with STP because it would not be a self
contained solution. Now we can use these firewalls anywhere without
having to modify any routers, just plug them in inline and it is set.
We also wanted to stick with FreeBSD because we have a knowledgebase
already set up for it and we know how to use it. Unfortunately, there
is no support for STP in freebsd bridging. Yes, I had already looked
into using pfsync and STP, we also considered just using scripts.
Anyway, I don't want to try and defend myself on our setup. We have
everything working now and I just wanted to let others know how they
could use carp over PLIP if they so needed to.
> http://www.seattlecentral.edu/~dmartin/docs/bridge.html
>
>
>
> Greg
>
>
> >
> > I will refrain from submitting any code to the community in
> > the future.
> >
> > On 6/13/05, Yar Tikhiy <yar at comp.chem.msu.su> wrote:
> > > On Mon, Jun 13, 2005 at 10:10:54AM -0400, Josh Kayse wrote:
> > > > One last comment,
> > > >
> > > > I managed to fix it so that carp runs on the plip
> > interface by adding:
> > > > ifp->if_flags = LINK_STATE_UP;
> > > >
> > > > Here is the diff:
> > > >
> > > > diff -Nur /usr.orig/src/sys/dev/ppbus/if_plip.c
> > /usr/src/sys/dev/ppbus/if_plip.c
> > > > --- /usr.orig/src/sys/dev/ppbus/if_plip.c Wed Sep
> > 15 11:14:18 2004
> > > > +++ /usr/src/sys/dev/ppbus/if_plip.c Mon Jun 13 10:05:56 2005
> > > > @@ -359,6 +359,7 @@
> > > >
> > > > ppb_wctr(ppbus, IRQENABLE);
> > > > ifp->if_flags |= IFF_RUNNING;
> > > > + ifp->if_flags = LINK_STATE_UP;
> > > > }
> > > > break;
> > >
> > > I'm afraid you're totally wrong here.
> > >
> > > First, I can't see how CARP is supposed to work on a PLIP
> > interface or
> > > any point-to-point interface at all. CARP is for broadcast
> > > interfaces, such as Ethernet or FDDI, which do ARP. You
> > seem to miss
> > > the point.
> > >
> > > Second, you can't store an arbitrary value into a variable or field
> > > and expect the things to work right. LINK_STATE_UP simply
> > is not for
> > > ifp->if_flags. Please make yourself familiar with the basics of
> > > computer programming before offering your patches to the community.
> > >
> > > --
> > > Yar
> > >
> >
> >
> > --
> > Joshua Kayse
> > Computer Engineering
> > _______________________________________________
> > freebsd-pf at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> >
> >
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
--
Joshua Kayse
Computer Engineering
More information about the freebsd-pf
mailing list