NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/48945: CARP preempt is not working
On Wed, Jun 25, 2014 at 03:25:01AM +0000, HEO SeonMeyong wrote:
> [...]
> bouyer> (that would be dangerous, you could end up with all interfaces in
> backup state
> bouyer> on both routers).
>
> Followings are maybe off topic, sorry.
>
> I want to this works. I wrote rt-A/rt-B is a router, but in my real
> environment, rt-A and rt-B is router with Firewall(pf) and
> IDS(snort).
> So if rt-A and rt-B is asynmetric, pf and snort works limited
> because (for ex) Incomming traffic is pass through rt-A and outgoing
> traffic is pass through rt-B.
this is what I don't get; why would traffic go to rt-B if rt-A is up ?
And if rt-A is down, traffic won't go to it (there may be some time before
the traffic switches from A to B while the switch's commutation table is
updated).
I have a setup similar to yours, and AFAIK if an interface on rt-A goes
down, all traffic is redirected to rt-B.
> I think(or hope) pfsync is avoidance of this limitation, but snort
> has no avoidance method.
in my setup both routers are stateless: ipf rules are stateless
(well, almost, there's some state for some UDP traffic but it's not a
big deal to loose a few packets here) and they don't do anything else.
--
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
NetBSD: 26 ans d'experience feront toujours la difference
--
Home |
Main Index |
Thread Index |
Old Index