carpdev : bad value?
Xin LI
delphij at gmail.com
Wed Dec 30 07:48:37 UTC 2009
On Tue, Dec 29, 2009 at 11:19 PM, kevin <k at kevinkevin.com> wrote:
>> There is a LOR between CARP and if_bridge, I have a very brute force
>> workaround which is not suitable to commit against -HEAD :(
>
>
> I have experienced a kernel panic when playing around with transparent bridging + pf + carp. Not having carpdev is unfortunate -- it limits my options with my current network environment :/
Shouldn't be a panic but a very hard hang. (except if you use
CURRENT or have WITNESS turned on). This can be worked around by
disallowing sending ARP broadcast on the bridge device (before sending
ARP, test if the ifp is pointing to a bridge device) but that's not
ideal. I use a patched version in production (bridging is used to
bridge OpenVPN clients to the network, CARP for failover, pf for load
balance and pf-sync for failover, it's an active-active DSR setup). I
have committed a patch that makes pf w/DSR setup work a week ago but
have not yet MFC'ed it, the patch can be directly applied against
8-STABLE, though.
> I suppose I could migrate to OpenBSD, but I was trying to avoid that.
We'd love to solve this soon but I suggest you to evaluate whether you
want OpenBSD, and check if someone else is actively working on porting
new feature/fixes. At this moment, OpenBSD have more advanced pf,
which could be useful for some setups.
I would be happy to share my patches/experience with everyone who
needs them, but I need to focus on some other work so maybe not able
to solve some "new" problems at this time, sorry.
Cheers,
--
Xin LI <delphij at delphij.net> http://www.delphij.net
More information about the freebsd-pf
mailing list