On Mon 21 Jun 2004, Jeff Wilson wrote: > On Mon, 21 Jun 2004, Lars Hansson wrote: > > Also, where can I lurk to find out more about ifstated? I > understand it's brand-spanking-new, so asking for more man > pages right this minute is like asking for that slap opside > the head -- but is there an active mailing list where > ifstated issues are currently under discussion? > (This post is somewhat answering this question, but migt be out of this lists domain, sorry)
<CARP out-of-sync> problem Try: http://www.benzedrine.cx/pf/msg04613.html (1) http://archives.neohapsis.com/archives/openbsd/2004-03/1946.html (2) http://monkey.org/openbsd/archive/misc/0405/msg01789.html (3) or: google: pfstated.conf or check /src/etc/ifstated.conf for sample config file. Only problem is, it does not work as intended. Not for me anyways. (ifstated still in ports). I have tried to get ifstated working to solve the <out-of-sync> state that carp interfaces sometimes ends up with if one of the physical interfaces goes down. The <out-of-sync> state leaves the master firewall master on the working interface, while the backup firewall is master on the other. IOW: deadlock. The ifstated is supposed to solve this, but I have tried the ifstated.conf example file, without any luck. Seems to be a problem with running console commands in Macros. Eg. '( "ping -q -c 1 -w 1 192.168.0.1 > /dev/null" every 10 and \ "ping -q -c 1 -w 1 192.168.1.1 > /dev/null" every 10 )' Should return 0 if both pings where successful. Actually i would 'or' this rather than 'and' -ing it, since ping returns 0 on success. Thereby the variable would contain 1 if either of the ip-address where unavailable. YMMV. But this macro won't work. Why, I don't know. It seems not to run at all. Using 'run "cmd"' works fine though. So, you will have to stick with the "(if0 link up)" stuff. This macro senses the status of the interface, eg. active, no carrier. Actuallt, it is the only thing i have working at the moment, at least untill any useful man pages for the conf file show up. Here is my ifstated.conf: ---------------------------------------------------- init-state master ## is 1 if both interfaces are up if_up = "((if0 link up) and (if1 link up))" ## is 1 if one or both interfaces are down if_down = "((! if0 link up) or (! if1 link up))" ## is 1 if both carp interfaces are up carp_master = "((carp0 link up) and (carp1 link up))" ## is 1 if one or both carp interfaces are down carp_backup = "((! carp0 link up) or (! carp1 link up))" ## this wont work, not using :( ## should be 1 if one or both ip-addresses are unreachable #ping_failed = '( "ping -q -c 1 -w 1 192.168.0.1 > /dev/null" every 5 or \ # "ping -q -c 1 -w 1 192.168.1.1 > /dev/null" every 5 )' state master { init { run "ifconfig carp0 advskew 10" run "ifconfig carp1 advskew 10" } if ($if_down or $carp_backup) { set-state demoted } } state demoted { init { run "ifconfig carp0 advskew 254" run "ifconfig carp1 advskew 254" } if ($if_up and $carp_master) { set-state master } if ($if_down or $carp_backup) { set-state backup } } state promoted { init { run "ifconfig carp0 advskew 0" run "ifconfig carp1 advskew 0" } if ($if_up and $carp_master) { set-state master } if ($if_down or $carp_backup) { set-state backup } } state backup { init { run "ifconfig carp0 advskew 110" run "ifconfig carp1 advskew 110" } if ($if_up or $carp_master) { set-state promoted } } ---------------------------------------------------------- I run this only on the master, and set the advskew on the backup firewall to 100. This way, if the master gets demoted, the backup firewall will have a higer advskew than the demotet master. Actually, you could go with only master and backup state here, but just to be safe, i set advskew to max when demoting, and min when promoting... Let CARP handle the rest.....You might still suffer from the <out-of-sync> problem though, but it should kick in if you unplug one of the network cables. Magne http://fortytwo.no
