NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/48945: CARP preempt is not working



On Wed, Jun 25, 2014 at 03:25:01AM +0000, HEO SeonMeyong wrote:
>  [...]
>  bouyer>  (that would be dangerous, you could end up with all interfaces in 
> backup state
>  bouyer>  on both routers).
>  
>       Followings are maybe off topic, sorry.
>  
>       I want to this works. I wrote rt-A/rt-B is a router, but in my real
>       environment, rt-A and rt-B is router with Firewall(pf) and
>       IDS(snort).
>       So if rt-A and rt-B is asynmetric, pf and snort works limited
>       because (for ex) Incomming traffic is pass through rt-A and outgoing
>       traffic is pass through rt-B.

this is what I don't get; why would traffic go to rt-B if rt-A is up ?
And if rt-A is down, traffic won't go to it (there may be some time before
the traffic switches from A to B while the switch's commutation table is
updated).
I have a setup similar to yours, and AFAIK if an interface on rt-A goes
down, all traffic is redirected to rt-B.

>       I think(or hope) pfsync is avoidance of this limitation, but snort
>       has no avoidance method.

in my setup both routers are stateless: ipf rules are stateless 
(well, almost, there's some state for some UDP traffic but it's not a
big deal to loose a few packets here) and they don't do anything else.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--


Home | Main Index | Thread Index | Old Index