Carson Gaspar wrote: > --On Thursday, August 10, 2006 4:00 PM +0100 Robin Breathe > <[EMAIL PROTECTED]> wrote: > >> I fear you're missing the point: with "ndd -set /dev/pfil qif_ipmp_set >> ipmp0=ce0,qfe0" you create a logical, named *pfil* interface which can >> be *referenced by pfil's clients* - i.e. ipfilter. Ipfilter is >> monitoring traffic from or to an interface via pfil. If pfil is >> configured with a logical IPMP interface (the code is there to handle >> failovers, etc) then I don't see what the problem is. This works >> perfectly for filtering traffic flowing over the logical-pfil-ipmp >> interface (see my original post), I just can't fastroute to it. > > No, you can't, because _which_ underlying interface would pfil use? What > algorithm would it use to decide? Aggregating _inbound_ traffic with an > alias is easy. Outbound traffic is much harder. You'd have to extend > pfil to be IPMP aware (or vice-versa), or put channel bonding logic into > pfil. And without the new driver framework that allows bonding, I'm not > sure pfil would have enough layer 1/2 data to make an informed decision.
Hmm, hammering down further into the code I note the lack of code to keep an eye on the system IPMP interfaces... thanks for driving that home to me ;) > You could send each packet out _both_ interfaces, but that has other > side effects that I doubt you want... Indeed, not a good plan. I was planning to write a simple daemon to monitor the state of the interfaces and switch between too alternate ipf configurations (one per potential primary IPMP interface) whenever there was a change of state, but upon discovering that pfil seemed to understand ipmp through the qif_ipmp_set interface, I shelved the idea as a nasty hack. Sun's documentation on monitoring for failover events with IPMP seemed unusually weak. > Of course if you'd like to add such logic to pfil, I suspect Darren > would be happy to accept patches... ;-) I may take a look. A quick look at the code makes it seem that it would just need a little logic in pfil_sendbuf: if qif is an ipmp_set => loop over group members until one is found which is "UP|!STANDBY", send out that one. Sound reasonable? Thanks for bearing with me :) Regards, Robin -- Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK [EMAIL PROTECTED] Tel: +44 1865 483685 Fax: +44 1865 483073
signature.asc
Description: OpenPGP digital signature
