On Wed, May 02, 2007 at 12:05:07AM +0200, Falk Brockerhoff wrote:
> Claudio Jeker schrieb:
> > Currently the routing table prefers any present route even if the
> > corresponding interface is not up. carp(4) does dirty tricks but the
> > network route is not touched and so all traffic hitting that backup box is
> > effectifly blackholed.
> Yes, that's exactly what I see here on my two boxes. I can't believe
> that I'm one of a few people who are using carp for redundancy
> routing/firewalling scenario, so I'm wondering not reading much about
> this on the list. Is there any workaround, maybe to force a rib-update
> from ospfd or something like that?
Most people use carp on both sides of the firewall and then preemption
will take care of makeing the backup system invisible to the network. If
you are using carp with ospfd you need at the moment dedicated carp boxes
that connect to your ospf cloud. The carp backup router will not announce
the network and so no traffic will flow in his direction.
This is not optimal I know.
> > There is no simple way to solve this problem without going deep into
> > kernel hacking. Either fix the routing table or fix carp(4) to add and
> > remove the IP and networks correctly. I think the latter is easier :)
> I'm only coding with perl and php and so on, so I can't provide
> practical work on this bug. As you write I think it isn't quite easy to
> fix, so it will take a little time to solve this bug. Can you tell me
> something about the priority and a guessed time-period?
I hope we can finally fix this at the upcomming c2k7