* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-05-03 20:58]: > Any recommendations on running BGP on redundant firewalls to multiple > providers advertising the same network thru both links, and talking iBGP > with the other firewall?
that is what I am doing here as well as at multiple customer sites. > Just asking because I ran into a problem with this > scenario when traffic would enter 1 host, traverse the iBGP crossover link > and then exit the 2nd host, and return traffic would come back in thru the > 1st host. There was a mismatch of the states that seemed to cause my > problems. not seen that. you could suffer from the carp route screwup issue I just committed a fix for in -current. I'll attach it, it'llapply for 4.1 too. in general, "bgpctl sh nexthop" is your friend to debug this. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam Index: ip_carp.c =================================================================== RCS file: /cvs/src/sys/netinet/ip_carp.c,v retrieving revision 1.135 diff -u -p -r1.135 ip_carp.c --- ip_carp.c 27 Mar 2007 21:58:16 -0000 1.135 +++ ip_carp.c 28 Mar 2007 23:18:51 -0000 @@ -368,15 +368,18 @@ carp_setroute(struct carp_softc *sc, int struct ifaddr *ifa; int s; + /* XXX this mess needs fixing */ + s = splsoftnet(); TAILQ_FOREACH(ifa, &sc->sc_if.if_addrlist, ifa_list) { switch (ifa->ifa_addr->sa_family) { case AF_INET: { - int count = 0; + int count = 0, error; struct sockaddr sa; struct rtentry *rt; struct radix_node_head *rnh; struct radix_node *rn; + struct rt_addrinfo info; int hr_otherif, nr_ourif; /* @@ -395,9 +398,15 @@ carp_setroute(struct carp_softc *sc, int } /* Remove the existing host route, if any */ - rtrequest(RTM_DELETE, ifa->ifa_addr, - ifa->ifa_addr, ifa->ifa_netmask, - RTF_HOST, NULL, 0); + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] = ifa->ifa_addr; + info.rti_info[RTAX_GATEWAY] = ifa->ifa_addr; + info.rti_info[RTAX_NETMASK] = ifa->ifa_netmask; + info.rti_flags = RTF_HOST; + error = rtrequest1(RTM_DELETE, &info, NULL, 0); + rt_missmsg(RTM_DELETE, &info, info.rti_flags, NULL, + error, 0); + /* Check for our address on another interface */ /* XXX cries for proper API */ @@ -420,26 +429,39 @@ carp_setroute(struct carp_softc *sc, int if (hr_otherif) { ifa->ifa_rtrequest = NULL; ifa->ifa_flags &= ~RTF_CLONING; - - rtrequest(RTM_ADD, ifa->ifa_addr, - ifa->ifa_addr, ifa->ifa_netmask, - RTF_UP | RTF_HOST, NULL, 0); + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] = ifa->ifa_addr; + info.rti_info[RTAX_GATEWAY] = ifa->ifa_addr; + info.rti_info[RTAX_NETMASK] = ifa->ifa_netmask; + info.rti_flags = RTF_UP | RTF_HOST; + error = rtrequest1(RTM_ADD, &info, NULL, 0); + rt_missmsg(RTM_ADD, &info, info.rti_flags, NULL, + error, 0); } if (!hr_otherif || nr_ourif || !rt) { if (nr_ourif && !(rt->rt_flags & - RTF_CLONING)) - rtrequest(RTM_DELETE, &sa, - ifa->ifa_addr, - ifa->ifa_netmask, 0, NULL, - 0); + RTF_CLONING)) { + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] = &sa; + info.rti_info[RTAX_GATEWAY] = ifa->ifa_addr; + info.rti_info[RTAX_NETMASK] = ifa->ifa_netmask; + error = rtrequest1(RTM_DELETE, &info, NULL, 0); + rt_missmsg(RTM_DELETE, &info, info.rti_flags, NULL, + error, 0); + } ifa->ifa_rtrequest = arp_rtrequest; ifa->ifa_flags |= RTF_CLONING; - if (rtrequest(RTM_ADD, ifa->ifa_addr, - ifa->ifa_addr, ifa->ifa_netmask, 0, - NULL, 0) == 0) + bzero(&info, sizeof(info)); + info.rti_info[RTAX_DST] = ifa->ifa_addr; + info.rti_info[RTAX_GATEWAY] = ifa->ifa_addr; + info.rti_info[RTAX_NETMASK] = ifa->ifa_netmask; + error = rtrequest1(RTM_ADD, &info, NULL, 0); + if (error == 0) ifa->ifa_flags |= IFA_ROUTE; + rt_missmsg(RTM_ADD, &info, info.rti_flags, NULL, + error, 0); } break; case RTM_DELETE:
