Discussion:
Enabling carp in pf.boot.conf?
(too old to reply)
Hauke Fath
2017-05-26 11:28:45 UTC
Permalink
All,

when my pf & carp routers reboot, I see gratuitous failovers and/or
non-failovers, since pf is started after configuring the network interfaces:

[...]
Waiting for DAD to complete for statically configured addresses...
carp0: state transition from: INIT -> to: BACKUP
carp2: INIT -> MASTER (preempting)
carp2: state transition from: BACKUP -> to: MASTER
carp2: ip_output failed: 65
carp3: INIT -> MASTER (preempting)
carp3: state transition from: BACKUP -> to: MASTER
carp3: ip_output failed: 65
carp7: INIT -> MASTER (preempting)
carp7: state transition from: BACKUP -> to: MASTER
carp7: ip_output failed: 65
carp8: INIT -> MASTER (preempting)
carp8: state transition from: BACKUP -> to: MASTER
carp8: ip_output failed: 65
carp9: INIT -> MASTER (preempting)
carp9: state transition from: BACKUP -> to: MASTER
carp9: ip_output failed: 65
carp10: INIT -> MASTER (preempting)
carp10: state transition from: BACKUP -> to: MASTER
carp10: ip_output failed: 65
carp11: INIT -> MASTER (preempting)
carp11: state transition from: BACKUP -> to: MASTER
carp11: ip_output failed: 65
carp12: INIT -> MASTER (preempting)
carp12: state transition from: BACKUP -> to: MASTER
carp12: ip_output failed: 65
carp0: INIT -> MASTER (preempting)
carp0: state transition from: BACKUP -> to: MASTER
carp0: ip_output failed: 65
carp2: ip_output failed: 65
carp3: ip_output failed: 65
carp7: ip_output failed: 65
carp8: ip_output failed: 65
carp9: ip_output failed: 65
carp10: ip_output failed: 65
carp11: ip_output failed: 65
carp12: ip_output failed: 65
carp0: ip_output failed: 65
Enabling pf firewall.
carp2: ip_output failed: 65
[...]

Enabling carp packets in pf.boot.conf fixes the problem:

Index: pf.boot.conf
===================================================================
RCS file: /cvsroot/src/usr.sbin/pf/etc/defaults/pf.boot.conf,v
retrieving revision 1.3
diff -u -u -r1.3 pf.boot.conf
--- pf.boot.conf 2 Sep 2007 15:28:43 -0000 1.3
+++ pf.boot.conf 26 May 2017 11:26:55 -0000
@@ -28,3 +28,6 @@
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
+
+# Enable carp, to avoid gratuitous failovers.
+pass proto carp

-- okay to commit?

Cheerio,
hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Christos Zoulas
2017-05-26 14:37:50 UTC
Permalink
In article <c0b50327-9996-a025-4df1-***@spg.tu-darmstadt.de>,
Hauke Fath <***@spg.tu-darmstadt.de> wrote:

[stuff deleted]
Post by Hauke Fath
Index: pf.boot.conf
===================================================================
RCS file: /cvsroot/src/usr.sbin/pf/etc/defaults/pf.boot.conf,v
retrieving revision 1.3
diff -u -u -r1.3 pf.boot.conf
--- pf.boot.conf 2 Sep 2007 15:28:43 -0000 1.3
+++ pf.boot.conf 26 May 2017 11:26:55 -0000
@@ -28,3 +28,6 @@
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
+
+# Enable carp, to avoid gratuitous failovers.
+pass proto carp
-- okay to commit?
Go for it.

christos


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...