From owner-freebsd-questions@FreeBSD.ORG Tue Feb 21 11:51:40 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1084E1065673 for ; Tue, 21 Feb 2012 11:51:40 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7AF0E8FC08 for ; Tue, 21 Feb 2012 11:51:38 +0000 (UTC) Received: by bkcjg1 with SMTP id jg1so7138166bkc.13 for ; Tue, 21 Feb 2012 03:51:37 -0800 (PST) Received-SPF: pass (google.com: domain of ml@my.gd designates 10.204.157.17 as permitted sender) client-ip=10.204.157.17; Authentication-Results: mr.google.com; spf=pass (google.com: domain of ml@my.gd designates 10.204.157.17 as permitted sender) smtp.mail=ml@my.gd Received: from mr.google.com ([10.204.157.17]) by 10.204.157.17 with SMTP id z17mr12996155bkw.37.1329825097885 (num_hops = 1); Tue, 21 Feb 2012 03:51:37 -0800 (PST) Received: by 10.204.157.17 with SMTP id z17mr10448784bkw.37.1329825097625; Tue, 21 Feb 2012 03:51:37 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id w15sm45067960bku.0.2012.02.21.03.51.35 (version=SSLv3 cipher=OTHER); Tue, 21 Feb 2012 03:51:36 -0800 (PST) Message-ID: <4F438546.7080101@my.gd> Date: Tue, 21 Feb 2012 12:51:34 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: peter knezel References: <4F314AFB.8080901@my.gd> <4F3BEA73.9060005@my.gd> <4F3CC11D.1080105@my.gd> <4F4377C9.5090804@my.gd> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQmJJzbAyI/3zDJahcPJHb/Qx4GwDfvl1SHw2sJSbLcKU/ADZSHG7TGmvo95Pc+o6uNV33OE Cc: "freebsd-questions@freebsd.org" Subject: Re: From analysis of a simple ifstated.conf to more compex example X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2012 11:51:40 -0000 Yes, that would enormously simplify your ifstated setup. I encourage you to try with a single interface and multiple IPs on it. Be careful to use /32 netmasks for your aliased IPs, people have run into trouble for using longer prefixes, like /24 for example. Also be careful when adding/removing IPs to the carp interfaces. If you don't have exactly the same IPs on both carp interfaces (server A and server B), then the hosts will consider them to be different CARP instances and they'll be MASTER on both firewalls. You don't want this, obviously. On 2/21/12 12:23 PM, peter knezel wrote: > Thanks Damien for the example. > In this case when I have only one carp interface, it is much easier to > define the states > in ifstated, isn't? It is either up or not and no other states are > needed to check. > > Regards, > > Peter > > On 21/02/2012, Damien Fleuriot wrote: >> Yes, I do mean you can have several IPs on a single CARP interface, see >> the example below: >> >> carp17: flags=49 metric 0 mtu 1500 >> inet 46.182.41.72 netmask 0xffffffff >> inet 46.182.41.76 netmask 0xffffffff >> inet 46.182.41.77 netmask 0xffffffff >> inet 46.182.41.78 netmask 0xffffffff >> inet 46.182.41.79 netmask 0xffffffff >> inet 46.182.41.80 netmask 0xffffffff >> inet 46.182.41.81 netmask 0xffffffff >> inet 46.182.41.82 netmask 0xffffffff >> inet 46.182.41.83 netmask 0xffffffff >> carp: MASTER vhid 117 advbase 1 advskew 100 >> >> >> >> See the rc.conf bit where I set the IPs: >> # WAN CARP >> ipv4_addrs_carp17="46.182.41.72/32 46.182.41.76/32 46.182.41.77/32 >> 46.182.41.78/32 46.182.41.79/32 46.182.41.80/32 46.182.41.81/32 >> 46.182.41.82/32 46.182.41.83/32" >> ifconfig_carp17="vhid 117 pass [removed] advskew 100" >> >> >> >> Regarding dedicating a given IP to a given service, you are supposed to >> do that in the service's configuration, when telling it which IP address >> to bind to. >> >> You can also use pf or ipfw to filter the services allowed on a given IP. >> >> >> On 2/21/12 11:48 AM, peter knezel wrote: >>> Do ypu mean that only carp0 is defined on both servers and it has >>> three different IPs? >>> How is it possible to define them so they are set for ftp, tftp and >>> scp separately for the defined IPs? >>> >>> Kind regards, >>> >>> Peter >>> >>> On 21/02/2012, Damien Fleuriot wrote: >>>> To be honest, I'm not sure it's a good idea to use different >>>> *interfaces*. >>>> >>>> Why don't you set multiple IPs on a single carp interface instead ? >>>> >>>> On 21 Feb 2012, at 08:29, peter knezel wrote: >>>> >>>>> Hello Damien, >>>>> >>>>> preemption is set on both systems, so when master server goes down or >>>>> any CARP interface on master >>>>> goes down, slave becomes master (but only on the CARP interface if >>>>> only that went down). >>>>> >>>>> Can you have a look at my previous question??: >>>>> if the different carp interfaces >>>>> are used for different purpose (ftp, tftp, scp), is it a good idea to >>>>> put down all of them, if they are able to serve their purpose? >>>>> >>>>> >>>>> Thanks and kind regards, >>>>> >>>>> Peter >>>>> >>>>> On 16/02/2012, Damien Fleuriot wrote: >>>>>> Preemption is used to ensure that, if a CARP interface goes down on >>>>>> host >>>>>> A, host B will then assume mastership for all interfaces. >>>>>> >>>>>> It prevents the nasty situation where you'd have, for example: >>>>>> >>>>>> Public IP: master on host A >>>>>> Private IP: master on host B >>>>>> >>>>>> servers behind firewalls hosts A and B: >>>>>> - traffic arrives on host A which creates a PF state >>>>>> - servers reply via their default gateway, the CARP IP now master on >>>>>> host >>>>>> B >>>>>> >>>>>> Host B doesn't have a state for the traffic, drops it. >>>>>> >>>>>> >>>>>> To enable preemption you need to run sysctl net.inet.carp.preempt=1 and >>>>>> add the corresponding line to your sysctls file in etc. >>>>>> >>>>>> >>>>>> On 2/15/12 7:04 PM, peter knezel wrote: >>>>>>> Well, >>>>>>> >>>>>>> I am not fully familiar with CARP, but if the different carp >>>>>>> interfaces >>>>>>> are used for different purpose (ftp, tftp, scp), is it a good idea to >>>>>>> put down all of them, if they are able to serve their purpose? >>>>>>> >>>>>>> BTW, what is CARP preemption and how is it possible to enable it? >>>>>>> >>>>>>> Kind regards, >>>>>>> >>>>>>> Peter >>>>>>> >>>>>>> On 15 February 2012 18:25, Damien Fleuriot >>>>>> > >>>>>>> wrote: >>>>>>> >>>>>>> Sorry about the late reply, didn't see yours. >>>>>>> >>>>>>> What about enabling CARP preemption to ensure that when a carp >>>>>>> interface >>>>>>> goes down, the whole set does ? >>>>>>> >>>>>>> >>>>>>> On 2/7/12 9:13 PM, peter knezel wrote: >>>>>>>> Hello Damien, >>>>>>>> >>>>>>>> I did read your example but cannot get idea from it. >>>>>>>> For three interfaces you have much more possibilities. >>>>>>>> >>>>>>>> Imagine you start the server from uuu state which is equal to >>>>>>>> net = '( "ifconfig -a -u |grep carp0 > /dev/null" every 3 && >>>>>>> "ifconfig -a -u >>>>>>>> |grep carp1 > /dev/null" every 3 && "ifconfig -a -u |grep carp2 > >>>>>>> /dev/null" >>>>>>>> every 3)' >>>>>>>> >>>>>>>> Now you put down one carp interface - so system is in state : >>>>>>>> *state one:* >>>>>>>> (duu) || (udu) || (uud) <----which is same as !$net >>>>>>>> run script1.sh >>>>>>>> go to twoff >>>>>>>> >>>>>>>> now imagine, you put down any other carp interface: >>>>>>>> *state twoff: * >>>>>>>> (dud) || (ddu) || (udd) >>>>>>>> run script2.sh >>>>>>>> go to two >>>>>>>> >>>>>>>> *state two: * >>>>>>>> put all interfaces up >>>>>>>> run script3.sh >>>>>>>> go to state one >>>>>>>> >>>>>>>> it means, this is one of the possibilities system can behave (this >>>>>>>> situation does not describe all possible states - I have taken this >>>>>>>> special example.) >>>>>>>> >>>>>>>> Now if you want to put up after putting down one carp interface, you >>>>>>>> fail since it is in state twoff. >>>>>>>> Only of you put down second carp interface it goes to state two and >>>>>>> if >>>>>>>> you put both up, it will go to state one. >>>>>>>> >>>>>>>> This is where my ifstated.conf fails to work. >>>>>>>> >>>>>>>> Kind regards, >>>>>>>> >>>>>>>> Peter Knezel >>>>>>>> >>>>>>>> >>>>>>>> On 7 February 2012 17:02, Damien Fleuriot >>>>>> >> >>>>>>>> wrote: >>>>>>>> >>>>>>>> On 2/7/12 3:36 PM, peter knezel wrote: >>>>>>>>> Hello all, >>>>>>>>> >>>>>>>>> I would like to ask somebody to explain me how the ifstated >>>>>>> works >>>>>>>> according to >>>>>>>>> the following configuration file. >>>>>>>>> I have three virtual carp interfaces carp0,carp1 and carp2. >>>>>>>>> >>>>>>>>> I try to understand the following setting: >>>>>>>>> The server is in state one (all carp interfaces are up) and >>>>>>> if there >>>>>>>>> is carp down of any: >>>>>>>>> one (carp0 or carp1 or carp2), >>>>>>>>> two ([carp0 and carp1] or [carp0 and carp2] or [carp1 and >>>>>>> carp2]), >>>>>>>>> three interfaces (carp 0 and carp1 and carp2), server >>>>>>>>> runs the script testdown.sh and put the server into state two. >>>>>>>>> If all carp interfaces are up, the server runs the testup.sh >>>>>>> and set >>>>>>>>> the state to one. >>>>>>>>> >>>>>>>> >>>>>>>> That is my understanding. >>>>>>>> >>>>>>>> >>>>>>>>> Is it the way the system works? >>>>>>>>> Or am I wrong? >>>>>>>>> >>>>>>>>> === >>>>>>>>> init-state one >>>>>>>>> >>>>>>>>> net = '( "ifconfig -a -u |grep carp0 > /dev/null" every 3 && >>>>>>>> "ifconfig -a -u >>>>>>>>> |grep carp1 > /dev/null" every 3 && "ifconfig -a -u |grep >>>>>>> carp2 > >>>>>>>> /dev/null" >>>>>>>>> every 3)' >>>>>>>>> >>>>>>>>> state one { >>>>>>>>> if ( ! $net ) { >>>>>>>>> run "/usr/local/testdown.sh" >>>>>>>>> set-state two >>>>>>>>> } >>>>>>>>> } >>>>>>>>> >>>>>>>>> state two { >>>>>>>>> if ( $net ) { >>>>>>>>> run "/usr/local/testup.sh" >>>>>>>>> set-state one >>>>>>>>> } >>>>>>>>> } >>>>>>>>> === >>>>>>>>> >>>>>>>>> Is there any possibility to define and set ifstated.conf that >>>>>>>> reacts when: >>>>>>>>> >>>>>>>>> any one of the carp interfaces is down - followed by >>>>>>> another any >>>>>>>>> other carp interface down >>>>>>>>> >>>>>>>>> >>>>>>>>> I tried to define states: >>>>>>>>> >>>>>>>>> duu ="!carp0.link.up && carp1.link.up && carp2.link.up" >>>>>>>>> udu ="carp0.link.up && !carp1.link.up && carp2.link.up" >>>>>>>>> uud ="carp0.link.up && carp1.link.up && !carp2.link.up" >>>>>>>>> ddu ="!carp0.link.up && !carp1.link.up" >>>>>>>>> dud ="!carp0.link.up && !carp2.link.up" >>>>>>>>> udd ="!carp1.link.up && !carp2.link.up" >>>>>>>>> >>>>>>>>> and used them but somehow I cannot incorporate all state >>>>>>> changes and >>>>>>>>> include it in ifstated.conf. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Works fine here, did you not have any luck with the file I >>>>>>> posted >>>>>>>> earlier ? >>>>>>>> _______________________________________________ >>>>>>>> freebsd-questions@freebsd.org >>>>>>> >>>>>>> >>>>>> > >>>>>>>> mailing list >>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>>>>>> To unsubscribe, send any mail to >>>>>>>> "freebsd-questions-unsubscribe@freebsd.org >>>>>>> >>>>>>>> >>>>>> >" >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>> >>