Re: new OpenSSL flaws
On Thu, Jun 05, 2014 at 08:02:58PM +, Miod Vallat wrote: > > If you can't trust people to apply one-liner fixes correctly, can you > trust them for anything serious? I really don't like to point fingers, but... It is done by the same people that introduced the Debian random number bug back in 2006: http://www.gergely.risko.hu/debian-dsa1571.en.html
Re: libpthread fifo fdlock
On Sun, Jan 26, 2014 at 03:44:14PM -0500, ido...@gmail.com wrote:
> Hi misc@,
> From http://marc.info/?l=openbsd-cvs&m=133217901415880&w=2
>
> "The ``sleep until we have a writer'' behaviour of an open() on a fifo
> does so with the file descriptor table locked, so if we are waiting for
> another thread to be our writer we will hang forever.
>
> Found this using zotero and firefox."
>
> This behavior indeed hangs latest FF+Zotero. Is it fixable?
I've been running into this recently myself.
What makes this worse, is that the process isn't even killable.
Guenther tried to fix this, but it got backed out:
http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/?id=d8a387a9a09560b65562bc317ad63427bc9cb819
I was trying to look into this, but ran out of time :-(
A workaround might be to patch either zotero or firefox, to
open the fifo with O_RDWR instead of O_WRONLY.
This way it won't block in open().
Here's my test program to trigger the issue.
#include
#include
#include
#include
#include
#include
#include
void *
open_thread(void *threadid)
{
int fd;
sleep(1); /* delay to let main run into FIFO open first */
printf("before open in thread\n");
if ((fd = open("/tmp/regfile", O_CREAT| O_RDWR, 0600)) < 0)
err(1, "open");
printf("after open in thread\n");
close(fd);
pthread_exit(NULL);
}
int
main(int argc, char** argv)
{
int fd;
pthread_t thread;
long t;
if (pthread_create(&thread, NULL, open_thread, (void *)t) != 0)
err(1, "pthread_create");
mkfifo("/tmp/block.fifo", 0600);
printf("before blocking open in main\n");
if ((fd = open("/tmp/block.fifo", O_WRONLY)) < 0)
err(1, "open");
printf("after blocking open in main\n");
close(fd);
pthread_exit(NULL);
exit(0);
}
Re: Unicast CARP and static arp entries
On Wed, Jul 25, 2012 at 12:07:25PM +0200, Henning Brauer wrote: > * Lee Verberne [2012-07-19 23:46]: > > A power supply failed in my 2-node OpenBSD 5.1 unicast CARP cluster > > recently. After the failure I noticed that the carp demote counter was > > being increased by output errors: > > > > carp: carp0 demoted group carp by 1 to 1 (> snderrors) > > > > I tracked this back to the surviving node being unable to arp for the > > ethernet address of its carppeer. At least, adding static permanent arp > > entries stopped the Oerrs on carp0. > > > > I'm planning on adding static arp entries as a best-practice now any > > time I use unicast CARP. I didn't see any documentation or list traffic > > on this topic, though, so I thought I'd ask what others do. Am I > > missing something or is this ill-advised? > > hmm, interesting one. I guess the best thing we could do, is to ignore send errors if unicast carp is being used. I don't think we can distinguish the ip_output errors to only ignore failures on missing arp entries. > not too ill-advised (the common problem with static arp entries > remain, foremost, they are static, thus changes require extra steps). > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de, Full-Service ISP > Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully > Managed > Henning Brauer Consulting, http://henningbrauer.com/
Re: Problem filtering CARP in PF
On Fri, Mar 02, 2012 at 09:23:38AM +0100, Marios Makassikis wrote: > > The demotion counter is decremented when you lose connectivity (ip_output > errors for instance), but shouldn't it be reincremented when you regain > connectivity? Well, that's a chicken and egg problem there. It won't send out any further advertisements, because its demote count is higher. But without doing so, it cannot know that the error is gone. We could try to solve this by sending some probe carp advertisements using an unused/reserved vhid, but I'm not sure if that's worth the trouble..
Re: em1 - watchdog timeout
Hi, so far, the 82579LM em(4) was only working by luck. This should be fixed in -current. On Fri, Oct 14, 2011 at 08:38:50AM +0200, Maxim Bourmistrov wrote: > Hi, > > I'm getting "em1 watchdog timeout" from bsd.rd while tried to snapshot > already -current box. > However, manually moving in bsd from the same date and booting it does > not produces those messages. [...] > em1 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x05: msi, address > 00:25:90:27:da:51
Re: /bsd: carpXX: ip_output failed: 64
On Tue, Jul 26, 2011 at 10:00:48AM +0200, Marcus M|lb|sch wrote: > Hello all, > >Since I added another physical and carp interface to our firewalls, I > get strange error messages, and strange behaviour for carp failover. > >> Jul 25 15:00:03 fw2 /bsd: carp32: ip_output failed: 64 >> Jul 25 15:00:03 fw2 /bsd: carp34: ip_output failed: 64 >> Jul 25 15:00:03 fw2 /bsd: carp40: ip_output failed: 64 >> Jul 25 15:00:03 fw2 /bsd: carp5: ip_output failed: 64 >> Jul 25 15:00:03 fw2 /bsd: carp11: ip_output failed: 64 >> Jul 25 15:00:03 fw2 /bsd: carp31: ip_output failed: 64 >> Jul 25 15:00:04 fw2 /bsd: carp: carp31 demoted group carp by 1 to 2\ >> (> snderrors) > >I'm pretty sure that I had no of that "64" errors before I added > "carp 40" - the old logfiles show none (though I have only those from a > few days). > >I googled for the error but didn't find anything helpful. man errno: 64 EHOSTDOWN Host is down. A socket operation failed because the desti- nation host was down. >Any quick pointers what may be going wrong? My first guess would've been that pf(4) is blocking the outgoing carp advertisements. But a quick glance at the code indicates that only returns 65 (EHOSTUNREACH). It could be a reject route blocking your advertisements. Can you show us the output of netstat -rn ?
Re: any working example of IPv6 /etc/hostname.carpXXX ?
On Sat, Apr 23, 2011 at 09:15:51PM +, Stuart Henderson wrote: > On 2011-04-21, ??? wrote: > > Dear Sirs, > > > > I need to configure ipv6 over carp interface. It seems that carp doesn't > > like things in one line > > > > > > ifconfig carp470 vhid 70 pass xxx carpdev vlan470 advskew 20 inet6 > > 2a00:1a70:80:470::2 prefixlen 128 > > > > it says something wrong about ipv6. don't have any idea why. so, one-line > > config for hostname.carpXXX will not work. > > > > if I do two ifconfigs: > > > > > > ifconfig carp470 vhid 70 pass xxx carpdev vlan470 advskew 20 > > ifconfig carp470 inet6 2a00:1a70:80:470::2 prefixlen 128 > > > > > > everthing seems to be ok. > > Not really, it just sits in init unless you also configure a (possibly > dummy) ipv4 address. This is a bug in -current. I broke IPv6-only setups. Index: ip_carp.c === RCS file: /cvs/src/sys/netinet/ip_carp.c,v retrieving revision 1.181 diff -p -u -p -u -r1.181 ip_carp.c --- ip_carp.c 8 Mar 2011 22:53:28 - 1.181 +++ ip_carp.c 22 Apr 2011 12:19:01 - @@ -902,6 +902,11 @@ carp_clone_create(ifc, unit) #if NBPFILTER > 0 bpfattach(&ifp->if_bpf, ifp, DLT_EN10MB, ETHER_HDR_LEN); #endif + + /* Hook carp_addr_updated to cope with address and route changes */ + if (sc->ah_cookie == NULL) + sc->ah_cookie = hook_establish(sc->sc_if.if_addrhooks, 0, + carp_addr_updated, sc); return (0); } @@ -2039,14 +2044,6 @@ carp_set_addr(struct carp_softc *sc, str carp_set_state_all(sc, INIT); - /* -* Hook if_addrhooks so that we get a callback after in_ifinit has run, -* to correct any inappropriate routes that it inserted. -*/ - if (sc->ah_cookie == NULL) - sc->ah_cookie = hook_establish(sc->sc_if.if_addrhooks, 0, - carp_addr_updated, sc); - return (0); } @@ -2131,10 +2128,10 @@ carp_set_addr6(struct carp_softc *sc, st if (sc->sc_naddrs6 == 0 && (error = carp_join_multicast6(sc)) != 0) return (error); - if (sc->sc_carpdev != NULL && sc->sc_naddrs6) + if (sc->sc_carpdev != NULL) sc->sc_if.if_flags |= IFF_UP; + carp_set_state_all(sc, INIT); - carp_setrun_all(sc, 0); return (0); }
Re: CARP hash vuln
On Tue, Dec 21, 2010 at 09:34:01AM +0100, David Coppa wrote: > On Tue, Dec 21, 2010 at 2:23 AM, Fernando Quintero > wrote: > > some comment? > > > > http://seclists.org/bugtraq/2010/Dec/200 > > I'm not able to provide a solution, but this is of course a bug that > needs to be fixed. If you look at my commit message from 3 years ago, you'll see that we are well aware of this: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?f=h#rev1.152 If someone comes up with a replay protection that works without the help of synchronized clocks, I'm happy to fix this. OTOH, I'm still not convinced that it's worth the effort to fix a L2-only attack. There's still enough other ways for a DoS on L2.
Re: Preempt: apparently no effect on advskew
On Tue, Apr 13, 2010 at 04:32:12PM +0900, william dunand wrote: > Dear list, > > I am currently setting up two 4.6 boxed to act as carp'ed firewalls. [...] > Even though I got to quite satisfying results, I am confused about the > net.inet.carp.preempt definition given in the carp(4) man page: > > a) Allow virtual hosts to preempt each other. > > b) It is also used to failover carp interfaces > as a group. When the option is enabled and > one of the carp enabled physical interfaces > goes down, advskew is changed to 240 on all > carp interfaces. See also the first example. > Disabled by default. > > I have no problem to observe [a], but I really can't manage to make [b] > happens. > > So when one of my interfaces goes down, all carp interfaces are > failing over to the other node but it seems to be thanks to the > demotion of "carp" group. A you can see below, advskew on the other > hand does not change at all: [...] > Would anyone be so kind as to explain me what I am misunderstanding here ? Hi, the advskew bump to 240 is done internally and not visible with ifconfig. Run tcpdump(8) and you'll see it on the wire. However, the 240 bump has been deprecated with 4.7 and the current manpage doesn't mention it either :) Marco
Re: Odd CARP issue with 4.6
On Thu, Nov 26, 2009 at 03:56:37PM +0100, Henning Brauer wrote:
> * Derek Buttineau [2009-11-26 15:07]:
> > On 2009-11-25, at 6:23 PM, Henning Brauer wrote:
> >
> > > check ifconfig -g carp on both
> >
> >
> > Right now both are at:
> >
> > carp: carp demote count 0
> >
> > However, I did check that before I rebooted the backup unit and the master
> > was
> > set to
> >
> > carp: carp demote count 1
> >
> > At first I thought that maybe pfsync was keeping the master from reverting
> > while it synced state, but even after 24 hours the master hadn't taken back
> > over from the slave.
>
> the one with the higher demote count always loses, regardless of
> advskew. now finding out which subsytem set the demote count might be
> nintrivial. pfsync is in the game, so is rc, and, depending on
> configuration, various daemons like bgpd and ospfd.
It might help to set
sysctl net.inet.carp.log=6
carp does logging about who demoted it:
CARP_LOG(LOG_INFO, nil, ("%s demoted group %s to %d",
ifp->if_xname,
ifgl->ifgl_group->ifg_group, *dm));
Re: OT: USB Device VID, PID, and S/N
On Tue, Oct 20, 2009 at 01:30:01AM -0600, Anathae E. Townsend wrote: > Off topic, I know, but I'm hoping some USB programming smart readers > might know the answer to my question. > > Are there available usb interface chips that an OEM can program the > PID, VID, and Serial Number without having to specify it in the chip > Mask? Yes there are. The Zaurus for instance has an USB device controller. http://www.openbsd.org/cgi-bin/man.cgi?query=usbf&sektion=4 > If this is possible, USB devices cannot be guaranteed to be unique > based on PID, VID and Serial number. No they cannot. OpenBSD is using: #define CDCEF_VENDOR_ID0x0001 #define CDCEF_PRODUCT_ID 0x0001 #define CDCEF_DEVICE_CODE 0x0100 for cdcef(4). http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/usb/if_cdcef.c?annotate=1.24 HTH, Marco
Re: with ip-stealth balancing syn-ack gets blocked on the wrong firewall
On Tue, Oct 06, 2009 at 11:22:11PM +0300, Imre Oolberg wrote: > Hallo! > > I have used carp ip-stealth balancing for only pass and block rules with > two openbsd 4.5 firewalls and https server quite successfully, like this Hi, finally someone who got IP balancing to work :) > >to isp router is firewalls' default gw > > |--carp0--|carp0: 192.168.1.170 > _|_ _|_ >FW1 | | | | FW2 > |___| |___| > |--carp1--| carp1: 10.0.1.193 > | | > |---|-|--|--- > || > _|_ _|_ > | | 10.0.1.200:443 | | 10.0.1.199:80 > |___| https server |___| http server > > Carp interfaces are created with definitions like this (on the other > firewall 1:100,2:0 -> 1:0,2:100) > > inet 192.168.1.170 255.255.255.248 192.168.1.175 carpnodes \ > 1:100,2:0 balancing ip-stealth pass xxx carpdev em0 > inet 10.0.1.193 255.255.255.240 10.0.1.207 carpnodes \ > 3:100,4:0 balancing ip-stealth pass yyy carpdev em1 > > And the problem arrives when i add second server (http) and trying to > use rdr rules rewriting ip address, essential rules are > > rdr on $ext_if inet proto tcp to 10.0.1.199 port 8080 tag TO_HTTP \ > -> 10.0.1.199 port 80 > rdr on $ext_if inet proto tcp to 10.0.1.200 port 80 tag TO_HTTP \ > -> 10.0.1.199 port 80 Carp IP balancing does its load distribution with a simple hash over the source and destination IP address. So in general doing any sort of address rewrite (nat, rdr) can mess things up, because the return packet will be handled by the other node. And stateful filtering and asymmetric routing are not good friends. However, in your case there might be a workaround. The carp hash function does a: (src ^ dst) % number_of_nodes to decide which node accepts the packet. Since you only have 2 nodes, it is all just a matter of an odd or even result. If you change your https servers' IP to an odd one (eg 10.0.1.201) your rdr rule would become: rdr on $ext_if inet proto tcp to 10.0.1.201 port 80 tag TO_HTTP \ -> 10.0.1.199 port 80 This way, the packet hash after the rdr will be equal to the one before. > pass in quick on $ext_if inet tagged TO_HTTP > pass in quick on $ext_if inet proto tcp to 10.0.1.200 port 443 \ > tag TO_HTTP > pass out quick on $int_if inet tagged TO_HTTP > > So the problem is i cant figure out why first rdr works and the second > rdr does not. The first one only rewrites the tcp port, not the IP address. HTH, Marco
Re: 4.6: load balancing and active/active
On Tue, Aug 04, 2009 at 03:15:25PM +0200, Federico wrote: > Rosen Iliev wrote: > > Hi Federico, > > > > Did you try to change the balancing mode to ip-unicast or ip-stealth? > > > > from man carp(4) > > I just tried with ip-unicast, but both machines stop working. > Do I have to think it's a switch related problem? ip-unicast needs special care: citing carp(4): "For scenarios where a hub is used it is not necessary to use a multicast MAC and it is safe to use the ip-unicast mode. Managable switches can usually be tricked into forwarding unicast traffic to all cluster nodes ports by configuring them into some sort of monitoring mode." As a basic test to see if your switch is playing along, you should run tcpdump on both machines and verify that the traffic towards the cluster is received on both sides. It is essential. The switch needs to send the traffic to all nodes in the cluster, if it does not do that, IP balancing cannot work. Marco
Re: VMWare vSphere with OpenBSD and carp
On Mon, Jul 27, 2009 at 04:01:39PM +0200, Vadim Korschok wrote: > >>> Marco Pfatschbacher 27.07.2009 11:35 >>> > >Hmm, > > >are you sure this is happening with OpenBSD? > >We solved that problem almost two years ago. > >Dunno if FreeBSD merged any of these changes... > > > > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?f=h#rev1.152 > > > > The patch from Matthew is working under FreeBSD, but after the installation > from FreeBSD we found out that load balancing / carpnodes are not supported. > So we can not test same scenario under FreeBSD. I've also tried to patch > OpenBSD without luck. The patch is not necessary for OpenBSD. We already detect such a loopback condition. So, to repeat my question: Are you seeing the same problems as you had with FreeBSD under OpenBSD? I don't know VMWare too well, but I remember that their multicast handling was somehow funny. I would start without using load balancing. Only if everything works as expected without, you can try turning it on. However, there's no guarantee that ``balancing ip'' will work with that virtual vmware switch. But I'm too lazy to explain why :) Carp IP-Balancing has some known limitations (which I really should've added to the manpage): It was meant to balance servers, not pf(4) firewalls. Although it works for pf(4), the performance you gain isn't that high and there are issues if you're using any kind of NAT. HTH, Marco
Re: VMWare vSphere with OpenBSD and carp
Hmm,
are you sure this is happening with OpenBSD?
We solved that problem almost two years ago.
Dunno if FreeBSD merged any of these changes...
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?f=h#rev1.152
On Mon, Jul 27, 2009 at 09:09:27AM +0200, Vadim Korschok wrote:
> The mailinglist script droped the attachment from Matthew (esx-carp.diff):
>
> Index: ip_carp.c
> ===
> RCS file: /home/ncvs/src/sys/netinet/ip_carp.c,v
> retrieving revision 1.52.2.3
> diff -u -r1.52.2.3 ip_carp.c
> --- ip_carp.c 9 May 2009 00:35:38 - 1.52.2.3
> +++ ip_carp.c 26 Jul 2009 16:53:24 -
> @@ -143,6 +143,8 @@
> &carp_opts[CARPCTL_LOG], 0, "log bad carp packets");
> SYSCTL_INT(_net_inet_carp, CARPCTL_ARPBALANCE, arpbalance, CTLFLAG_RW,
> &carp_opts[CARPCTL_ARPBALANCE], 0, "balance arp responses");
> +SYSCTL_INT(_net_inet_carp, CARPCTL_DROPECHOED, drop_echoed, CTLFLAG_RW,
> +&carp_opts[CARPCTL_DROPECHOED], 0, "drop packets echoed to sender");
> SYSCTL_INT(_net_inet_carp, OID_AUTO, suppress_preempt, CTLFLAG_RD,
> &carp_suppress_preempt, 0, "Preemption is suppressed");
>
> @@ -552,6 +554,28 @@
> return;
> }
>
> + /*
> + * verify that the source address is not valid
> + * for the interface it was received on. this
> + * tends to happen with VMWare ESX vSwitches.
> + */
> + if (carp_opts[CARPCTL_DROPECHOED]) {
> + struct ifnet *ifp = m->m_pkthdr.rcvif;
> + struct ifaddr *ifa;
> + IF_ADDR_LOCK(ifp);
> + TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list) {
> + struct in_addr in4;
> + in4 = ifatoia(ifa)->ia_addr.sin_addr;
> + if (ifa->ifa_addr->sa_family == AF_INET &&
> + in4.s_addr == ip->ip_src.s_addr) {
> + m_freem(m);
> + IF_ADDR_UNLOCK(ifp);
> + return;
> + }
> + }
> + IF_ADDR_UNLOCK(ifp);
> + }
> +
> /* verify that the IP TTL is 255. */
> if (ip->ip_ttl != CARP_DFLTTL) {
> carpstats.carps_badttl++;
> @@ -644,6 +668,28 @@
> return (IPPROTO_DONE);
> }
>
> + /*
> + * verify that the source address is not valid
> + * for the interface it was received on. this
> + * tends to happen with VMWare ESX vSwitches.
> + */
> + if (carp_opts[CARPCTL_DROPECHOED]) {
> + struct ifnet *ifp = m->m_pkthdr.rcvif;
> + struct ifaddr *ifa;
> + IF_ADDR_LOCK(ifp);
> + TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list) {
> + struct in6_addr in6;
> + in6 = ifatoia6(ifa)->ia_addr.sin6_addr;
> + if (ifa->ifa_addr->sa_family == AF_INET6 &&
> + memcmp(&in6, &ip6->ip6_src, sizeof(in6)) == 0) {
> + m_freem(m);
> + IF_ADDR_UNLOCK(ifp);
> + return (IPPROTO_DONE);
> + }
> + }
> + IF_ADDR_UNLOCK(ifp);
> + }
> +
> /* verify that the IP TTL is 255 */
> if (ip6->ip6_hlim != CARP_DFLTTL) {
> carpstats.carps_badttl++;
> Index: ip_carp.h
> ===
> RCS file: /home/ncvs/src/sys/netinet/ip_carp.h,v
> retrieving revision 1.3
> diff -u -r1.3 ip_carp.h
> --- ip_carp.h 1 Dec 2006 18:37:41 - 1.3
> +++ ip_carp.h 26 Jul 2009 16:53:24 -
> @@ -1,4 +1,4 @@
> -/* $FreeBSD: src/sys/netinet/ip_carp.h,v 1.3 2006/12/01 18:37:41 imp Exp $
> */
> +/* $FreeBSD: src/sys/netinet/ip_carp.h,v 1.3.8.1 2009/04/15 03:14:26
> kensmith
> Exp $ */
> /* $OpenBSD: ip_carp.h,v 1.8 2004/07/29 22:12:15 mcbride Exp $ */
>
> /*
> @@ -140,7 +140,8 @@
> #define CARPCTL_LOG 3 /* log bad packets */
> #define CARPCTL_STATS 4 /* statistics (read-only) */
> #define CARPCTL_ARPBALANCE 5 /* balance arp responses */
> -#define CARPCTL_MAXID 6
> +#define CARPCTL_DROPECHOED 6 /* drop packets echoed to the
> sender */
> +#define CARPCTL_MAXID 7
>
> #define CARPCTL_NAMES { \
> { 0, 0 }, \
Re: Can't SSH into CARP'd system from the outside
On Thu, Nov 13, 2008 at 05:51:49PM -0800, Vivek Ayer wrote: > Yay! I got ssh and http to work on the CARP interface. Thanks. > > However, the httpd redirect is not working just yet on the CARP > interface for one of the computers. Does IP balancing mess up > redirect? Well, that depends. IP balancing computes a commutative hash of the source and destination IP to decide which node accepts the packet. If you do a rdr, you modify the destination, thus the hash is different and the returning packet might end up on another node, which has no knowledge about the pf-NAT state. However, if you also NAT the outgoing packet to an address that belongs to one node only, you'll get the reply. That of course means that you won't have the client's original IP address for your apache access logs. IP balancing is no silver bullet. I designed as a simple solution to build a cluster of load balanced servers without the need of a separate load balancer. A pf pair with no nat/rdr is also easy to build. Translation is hard. > Here's my current pf.conf: [...] > # Basic CARP/pfsync pass rules > pass on $carpdevs proto carp keep state this ^^^ is still wrong, btw. But your other rules seem to cover that traffic already anyway.
Re: Can't SSH into CARP'd system from the outside
On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote: > i don't think I understand. Clarify. you mean carpdev is like your > physical interface..eth0, re0, etc.? say you have a carp configured like: carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:04 carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0 groups: carp inet 1.2.3.4 netmask 0xff00 broadcast 1.255.255.255 As you can see, carp0 is using em0 as its carpdev. A pf rule to pass ssh to the carp address would be: pass in on em0 inet proto tcp to (carp0) port 22 and NOT: pass in on carp0 inet proto tcp to (carp0) port 22 HTH, Marco
Re: Can't SSH into CARP'd system from the outside
On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote:
[...]
> # macros
[...]
> carpdevs = "{ carp0 , carp1 }"
[...]
> # pass rules
[...]
> pass in on $carpdevs inet proto tcp from any to ($ext_if) \
>port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
just from a quick glance:
pf(4) never filters on carp interfaces, but on carp's physical
interface (aka carpdev).
Re: CARP not failing-over
On Sat, Nov 24, 2007 at 05:14:04PM +0700, Insan Praja SW wrote: > The ifconfig: > Machine A# [...] > vlan2: flags=8943 mtu 1500 > lladdr 00:15:17:25:0a:9e > vlan: 2 priority: 0 parent interface: em2 > groups: vlan > inet6 fe80::215:17ff:fe25:a9e%vlan2 prefixlen 64 scopeid 0x9 > vlan22: flags=8943 mtu 1500 > lladdr 00:15:17:25:0a:9d > vlan: 22 priority: 0 parent interface: em0 > groups: vlan > inet6 fe80::215:17ff:fe25:a9d%vlan22 prefixlen 64 scopeid 0xa [...] > carp0: flags=b843 mtu > 1500 > lladdr 00:00:5e:00:01:01 > carp: MASTER carpdev vlan2 vhid 1 advbase 1 advskew 0 > groups: carp > inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0xc > inet 202.149.93.12 netmask 0xfff0 broadcast 202.149.93.15 > carp1: flags=8843 mtu 1500 > lladdr 00:00:5e:00:01:02 > carp: BACKUP carpdev vlan2 vhid 2 advbase 1 advskew 100 > groups: carp > inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0xd > inet 202.149.93.12 netmask 0xfff0 broadcast 202.149.93.15 > carp2: flags=b843 mtu > 1500 > lladdr 00:00:5e:00:01:03 > carp: MASTER carpdev vlan22 vhid 3 advbase 1 advskew 0 > groups: carp > inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0xe > inet 202.149.93.97 netmask 0xfff0 broadcast 202.149.93.111 > carp3: flags=8843 mtu 1500 > lladdr 00:00:5e:00:01:04 > carp: BACKUP carpdev vlan22 vhid 4 advbase 1 advskew 100 > groups: carp > inet6 fe80::200:5eff:fe00:104%carp3 prefixlen 64 scopeid 0xf > inet 202.149.93.97 netmask 0xfff0 broadcast 202.149.93.111 vlan2 and vlan22 need an IP in the same network as their carp interfaces. IP Balancing currently doesn't work for the 'carpdev is ip-less' case.
Re: carp ip loadbalancing bug ?
On Sun, Nov 04, 2007 at 01:17:19PM +0100, [EMAIL PROTECTED] wrote: > > but we check our switches ( HP 2824 ) and my networker says that we have old > revision of firmware inside. > we will update this at monday and that we test it again. I don't think that's necessary. It's not a bug in the switch. > is the link2 option an replacement for link1 ? no, you need link0,link1,link2 Just like it's written in the manual... > holger > > Quoting from carp(4): > > Please note that activating stealth mode on a carp interface that has al- > ready been running might not work instantly. As a workaround the VHID > can be changed to a previously unused one, or just wait until the MAC > table entry in the switch times out. > > Some Layer-3 switches do port learning based on ARP packets. Therefore > the stealth mode cannot hide the virtual MAC address from these kind of > devices. In such cases, carp can be told to use a multicast MAC address > by additionally enabling the link2 flag. ^^ There's work in progress to make the configuration easier. However, sometimes I wonder why we bother to write manuals that no one reads.
Re: carp ip loadbalancing bug ?
On Fri, Nov 02, 2007 at 09:53:46AM +0100, [EMAIL PROTECTED] wrote: > hi > > yes the em0 ist member of the /22 network and the carpdev opion ist an old > setting from the start of this cluster > where i setup no ip on the interface. > > should i try this ip balancing whitout this option ? No, it's redundant to use carpdev in this case, but it doesn't matter. Do you see the traffic incoming on both machines? Maybe the link2 mode works better for you... Quoting from carp(4): Please note that activating stealth mode on a carp interface that has al- ready been running might not work instantly. As a workaround the VHID can be changed to a previously unused one, or just wait until the MAC table entry in the switch times out. Some Layer-3 switches do port learning based on ARP packets. Therefore the stealth mode cannot hide the virtual MAC address from these kind of devices. In such cases, carp can be told to use a multicast MAC address by additionally enabling the link2 flag.
Re: carp ip loadbalancing bug ?
On Wed, Oct 31, 2007 at 11:26:48AM +0100, holger glaess wrote: > hi > > i did the carp ip loadbalancing setup as describe at the man page. > > i did it on an full funktional carp cluster that means that carp an pf is ok. > > host A: > > inet 10.100.0.254 255.255.252.0 10.100.3.255 carpdev em0 vhid 25 pass > office2world link0 link1 group lan_if > inet alias 10.100.1.253 255.255.252.0 NONE Your configuration looks sane. Currently I'm aware of one problem with ip balancing: It doesn't work for the 'carpdev' case. Is your em0 interface also part of the same /22 as carp? Marco
Re: CARP problem
On Tue, Oct 23, 2007 at 11:10:32AM +0200, Heinrich Rebehn wrote: > > Googling showed up quite a few posts of people having problems with CARP > and the "incorrect hash" message, but none really helped me. the most common reason for "incorrect hash" messages is that your configuration isn't in sync. That includes all IP addresses and the password. Seems like that's the case in your setup: > carp0: flags=8843 mtu 1500 > lladdr 00:00:5e:00:01:0a > carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 0 > groups: carp > inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xa > inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 > inet 134.102.176.202 netmask 0xff00 broadcast 134.102.176.255 vs. > carp0: flags=8802 mtu 1500 > lladdr 00:00:5e:00:01:0a > carp: INIT carpdev vlan0 vhid 10 advbase 1 advskew 100 > groups: carp > inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xb > inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 dunno where you got 134.102.176.202 from, though... > hostname.carp0: > inet 134.102.176.250 255.255.255.0 134.102.176.255 vhid 10 pass xxx10 carpdev > vlan0 advskew 100 state backup > You shouldn't use "state backup" here. The higher advskew is sufficient. "state" is only needed for manual intervention.
Re: carp ip balancing (-current)
On Tue, Sep 25, 2007 at 08:57:19AM -0700, dane johansen wrote: > I went to colo, and checked what happened, as soon as a type: > ifconfig carp0 10.10.10.110 netmask 255.255.248.0 vhid 7 advskew 100 > I get: > ifconfig carp0 10.10.10.110 netmask 255.255.248.0 vhid 7 advskew 100 > uvm_fault(0xd6a07524, 0x0, 0, 3) -> e > kernel: page fault trap, code=0 > Stopped at carp_join_multicast+0x32:movl %eax, 0(%edx) > ddb> You were unlucky and stepped on a bug in -current. Claudio fixed that already: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?f=h#rev1.151
Re: carp ip balancing (-current)
On Wed, Sep 19, 2007 at 09:07:52PM -0700, dane johansen wrote: > Hi, > > I'm trying CARP ip balancing on openbsd 4.2 (-current). I have 3 boxes (host > A, host B and host C) so I started configuring carp interfaces according > manual: > > A# ifconfig carp0 10.10.10.100 netmask 255.255.248.0 vhid 7 link0 link1 > A# ifconfig carp1 10.10.10.100 netmask 255.255.248.0 vhid 8 advskew 100 > > B# ifconfig carp0 10.10.10.100 netmask 255.255.248.0 vhid 7 advskew 100 > link0 link1 > B# ifconfig carp1 10.10.10.100 netmask 255.255.248.0 vhid > > At this point everything works but there is no IP load balancing, because on > host B both interfaces are in backup mode. So I've enabled carp preempt on > both hosts: > > A# sysctl net.inet.carp.preempt=1 > B# sysctl net.inet.carp.preempt=1 > > Now carp1 is master on host B, and it's doing load balancing, so i decided > to add host C (maybe we need to add this to example section in the manual, > like it's done for arp load balancing? Or is it just coincidence and you > don't really need carp preemtp?): Looks all correct. And yes, you do need to enable carp preempt. > C# ifconfig carp0 10.10.10.100 netmask 255.255.248.0 vhid 7 advskew 200 > link0 link1 Nothing wrong with that. However, if you want to spread the load over 3 servers you'll need 3 carp interfaces each, where each server should be master for one of them. > As soon as I wrote this command I lost connection to host C (did that > remotely), so I guess tomorrow I'll have to check what happened, but maybe > someone knows what did I do wrong (maybe advskew should equal for all backup > hosts in the pool? but I assumed that you have to manage priorities that's > why I've set it to 200, or maybe the fact that I've set carp.preempt is > messing around something?) Not supposed to happen. Do you have more infos about what went wrong on host C ? Marco
Re: Convergence time with carp(4)
On Sun, Mar 25, 2007 at 08:23:25PM +0200, Jeremie Le Hen wrote: > > Btw, you might consider using ifstated(8) > > instead of scripting sth w/ ifconfig(8). > > I don't understand what you are saying here. I explicitely showed > the commands which can lead to my setup. They are usually handled > by netstart(8) and hostname.if(5). Yes, that's just fine. I assumed you were running some sort of monitoring script.
Re: CARP flip flop problems
On Fri, Mar 23, 2007 at 12:38:44PM +1200, Nigel Roberts wrote: [...] > You can see when the state change happens. The backup host advertises > with advskew of 100, advbase of 2 and promptly decides it's the master > until the next advertisment arrives from the machine that really > should be the master. The backup also issues a CARP IPv6 announcement, > which is strange because we don't have IPv6 configured. That is not supposed to happen. carp should not send IPv6 advertisements. Mind to share your configuration?
Re: Convergence time with carp(4)
On Fri, Mar 23, 2007 at 04:35:31PM +0100, Jeremie Le Hen wrote: [...] > - We are using stock OpenBSD 4.0 for our test. [...] > Without running ifconfig(8) too often, the convergence time is a > few seconds but we managed to increase the delay up to 2 minutes > with this trick. This is fixed in 4.0-stable, which you really should be using. (see http://www.openbsd.org/errata40.html#m_dup1). Either update via CVS or apply this patch: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6.c.diff?r1=1.68&r2=1.68.2.1 Btw, you might consider using ifstated(8) instead of scripting sth w/ ifconfig(8).
Re: keyboard lockup, KVM, dual-boot
On Sun, Feb 25, 2007 at 06:10:43PM +0100, Stefan Kell wrote: > Hallo list, > > I want to use this machine as a dual-boot system together with windows. It > is connected to a standard PS2-KVM, no USB-mouse or keyboard. Installation > of both Windows and OpenBSD 4.0 from CDs worked without any problems. But > now if I boot OpenBSD from harddisk the keyboard is locked at the login > prompt. > > But I can use the keyboard in the BIOS, for the boot-manager, with the > standard boot-prompt of OpenBSD and within UKC. So something later in the > bootprocess is locking the keyboard. > > I tried to use X-Windows but there is the problem that the mouse is not > responding. Maybe this is related? > > Any sugestions? Dmesg follows Try a snapshot. mickey commited a fix for this: http://marc.theaimsgroup.com/?l=openbsd-cvs&m=117025451820884&w=2
Re: carp weirdness
On Fri, Sep 15, 2006 at 12:49:20PM -0700, Tom Bombadil wrote: > Greetings all... This was probably discussed before, but I couldn't > really find anything in the archives. > > 1) We have a carp0 interface with a few aliases in it, and carp works > fine between master (SERVER-A) and backup (SERVER-B)... until... > > 2) ... we plumb a another new alias into SERVER-B's carp0. Then the > status of carp0 on SERVER-B goes from BACKUP to MASTER, even though the > advskew on SERVER-A is lower (0) than SERVER-B's advskew (127). carp only accepts advertisments if the configuration (hash) is identical. > 3) Now, we have both servers saying carp0 is MASTER, and some > connectivity problems going on, and this in the logs: > Sep 15 04:00:02 fw1 /bsd: carp0: incorrect hash of course. both hosts use the same MAC and IP address. > 4) We haven't tested it, but it seems that if we have added the alias to > SERVER-A first, the problem would still happen, because the hash would > be different as well. > > Question: whats the best way to add an alias to carp, and avoid this > problem? ifconfig down the carp on the backup, add the alias on the backup, add the alias on the master, ifconfig up the backup.
Re: carp: packet too short 40 on carp0
On Fri, Jul 21, 2006 at 02:50:04PM +1000, Alex Strawman wrote: > I'm experiencing some weird carp issues - it is working ok, however my > logs are being filled with this: > > the systems are in an environment with ciscowned vrrp traffic - is > that the cause? Likely, though per default carp shouldn't log those packets. Did you change net.inet.carp.log to '1'?
Re: problems with carp and vlans
On Thu, Apr 20, 2006 at 05:42:20PM +0200, Otto Moerbeek wrote: > > On Thu, 20 Apr 2006, Lars Weste wrote: > > > Hi, > > > > yes, i am running 3.8 -stable, and the backup has a higher advbase than > > err, for preemption to work, the advskew should be higher on the backup. > At least, that is what carp(4) says. Yes, actually you should have have an identical advbase, but an higher advskew on the backup. If the master box looses one of its links, it bumps the advskew to 240 so that the backup has a chance to take over all carp interfaces. > > the master. Nevertheless, my problem doesn't seem to be the vlan > > interface itself, it is just a general problem keep the interfaces in > > sync, as ryan describes here: > > > > http://www.countersiege.com/doc/ifstated/ That document describes the carp behaviour at the time of 3.5. Ever since then, it takes care for about that by itself. > > so I am wondering whether I have to use ifstated, and to check all > > interfaces, or whether there is some new feature, that will do the trick. The latter. Ifstated is useful for some more advanced monitoring or reporting cases.
Re: problems with carp and vlans
Hi, did you remember to configure the backup machine with a higher advskew / advbase? Are you running -stable? I'm not aware of any other problems in 3.8 that might cause this. On Wed, Apr 19, 2006 at 08:59:01AM +0200, Lars Weste wrote: > Hi, > > I have some problems with carp and vlans, at least I think so. > I found this: > http://archives.neohapsis.com/archives/openbsd/cvs/2005-04/0996.html > so my assumption may be wrong, as I use openbsd 3.8. > > I have four physical > interfaces in my two firewalls, one for pfsync, one to the Internet, DMZ > and LAN. At the LAN interface seven VLAN interfaces are configured. The > Internet and DMZ interfaces are on em(4) and the pfsync and LAN vlans on > a bge(4) interface. > > When I remove one of the Internet or DMZ cables, all Interfaces on both > firewalls behave as expected, the Interface where the cable is removed, > goes to state INIT, the others become backup. When I do this with the LAN > interface, then all carp interfaces for the seven vlans go to master > state, but the two remaining carp interfaces for the Internet and DMZ > stay in backup mode. > > my configuration on both hosts: > net.inet.carp.preempt=1 > net.inet.carp.allow=1 > net.inet.carp.arpbalance=0 > > > hostname.carp0 > !ifconfig em0 up > vhid 1 carpdev em0 172.16.0.1 172.16.0.255 netmask 255.255.255.0 up > > hostname.carp1 > !ifconfig em1 up > vhid 1 carpdev em1 172.16.1.1 172.16.1.255 netmask 255.255.255.0 up > > > hostname.carp2 > !ifconfig bge0 up > !ifconfig vlan0 create > !ifconfig vlan0 vlan 3 vlandev bge0 up > vhid 1 carpdev vlan0 192.168.0.1 192.168.1.255 netmask 255.255.254.0 up > > hostname.carp3 up to hostname.carp9 (only the vlan interface numbers and > ip addresses are different) > !ifconfig vlan1 create > !ifconfig vlan1 vlan 4 vlandev bge0 up > vhid 1 carpdev vlan0 192.168.2.1 192.168.3.255 netmask 255.255.254.0 up > > > I also tried to use the em interfaces for the vlan devices, with the same > result, the interfaces do not stay in sync. assume the following: i > remove a cable from the backup host from the carp interfaces, doesn't > matter which one. The carp interface goes into init state, then i plug it > back in, and the interface goes into backup state. but with a chance of > about 1 of 5 the interface changes its state from backup to master, but > the other interfaces stay in backup mode. The second host has all > interfaces as master but the one as backup where at the first host the > corresponding interface is in master mode. > > > I also tried with different vhid's on all interfaces, but with no > different results. Anybody knows how to keep the carp interfaces on the > vlan devices in same state with the carp interfaces bound to the physical > interfaces? Any hint would be greatly appreciated. > > > lars > > -- > Echte DSL-Flatrate dauerhaft f|r 0,- Euro*! > "Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl
Re: aliases with carp
On Wed, Apr 05, 2006 at 03:16:04PM -0700, Gustavo A. Baratto wrote: > Greetings all... > > We were trying to upgrade a couple of boxes (fw1 and fw2) running 3.6 to > 3.8, but we came across an interesting problem with carp... > > First we installed 3.8 from scratch on just fw2, and kept fw1 in > production with 3.6. > once fw2 was done, we tried just to plumb the carp interfaces with high > advskew, so fw2 would still be BACKUP. > > So, we first added carp1 (described below) with this command: > fw2# sh /etc/netstart carp1. Hi, the problem is, that if you run /etc/netstart on an already configured interface you'll end w/ a different order of your IP addresses. Carp calculates a configuration hash over of all addresses of an interface. If the order is changed, the hash is different and therefore the backup hosts ignore the carp packets and become master. As a workaround you could destroy the carp interfaces first: # ifconfig carp1 destroy && sh /etc/netstart carp1 In 3.9 we always compute the hash w/ the IP addresses in sorted order. This will solve your problem. But please note, that you might experience interop problems between carp hosts running 3.9 and pre-3.9. Marco
Re: Strange behaviour of ``ifconfig -alias''
On Fri, Jan 27, 2006 at 02:18:10PM +0100, Alexander Hall wrote: > Hi! > > I just noticed (the hard way) a strange behaviour of ifconfig. In short, > if I supply a netmask when removing an alias with ``-alias '', > it is not, as one would expect, ignored, but rather used as the netmask > for the primary address of the interface. > > While it would not be necessary to supply the netmask when removing an > alias, I cannot see that this behaviour would be expected. I would > rather expect an error or that the netmask was ignored. > > Or am I totally wrong? > > Example follows: > > $ ifconfig xl0 > xl0: flags=8843 mtu 1500 > lladdr 00:06:5b:36:f8:e1 > groups: egress > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet6 fe80::206:5bff:fe36:f8e1%xl0 prefixlen 64 scopeid 0x1 > inet 192.168.2.130 netmask 0xff00 broadcast 192.168.2.255 > $ sudo ifconfig xl0 inet alias 192.168.2.140 netmask 255.255.255.255 > $ ifconfig xl0 > xl0: flags=8843 mtu 1500 > lladdr 00:06:5b:36:f8:e1 > groups: egress > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet6 fe80::206:5bff:fe36:f8e1%xl0 prefixlen 64 scopeid 0x1 > inet 192.168.2.130 netmask 0xff00 broadcast 192.168.2.255 > inet 192.168.2.140 netmask 0x broadcast 192.168.2.140 > $ sudo ifconfig xl0 inet -alias 192.168.2.140 netmask 255.255.255.255 > ifconfig: SIOCAIFADDR: File exists > $ ifconfig xl0 > xl0: flags=8843 mtu 1500 > lladdr 00:06:5b:36:f8:e1 > groups: egress > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet6 fe80::206:5bff:fe36:f8e1%xl0 prefixlen 64 scopeid 0x1 > inet 192.168.2.130 netmask 0x broadcast 192.168.2.130 >^^ > madness http://marc.theaimsgroup.com/?l=openbsd-misc&m=111852853930931
Re: Dead switch, a quick carp failover question
On Sun, Jan 01, 2006 at 10:52:43PM +, Karl O. Pinc wrote: > On 01/01/2006 03:09:03 PM, Marco Pfatschbacher wrote: > >On Sun, Jan 01, 2006 at 12:28:42AM +, Karl O. Pinc wrote: > >[...] > >> Suppose I have 2 firewalls, one failing over to the > >> other with carp. (net.inet.carp.preempt=1 on > >> both firewalls.) Each has 3 interfaces, internet, > >> lan, and dmz. The dmz has, say, a webserver. > >> Now to connect the 2 firewalls to the webserver > >> an additional switch/hub is required in the physical > >> topology. > >> > >[...] > >> If the dmz interfaces go down, then does this > >> not shut off all the carp interfaces on both > >> firewalls as a group, turning off the parts > >> of both firewalls that are still functioning? > >[...] > [...] > >In your scenario, both firewalls would chage their advskew to 240. > >But a takeover only happens if one has a lower advskew, not if they > >are equal. Therefore you should be just fine. > > So then what happens next when, say, the internet interface > goes down on just the master firewall? Even though the backup has > two working interfaces and the master only one, the advskew > everywhere is already at 240 and the backup will not > become the master. Right? (Seems like when > net.inet.carp.preempt=1 the advskew should keep going > up as more interfaces go down.) Although it's rather hypothetical to have two broken switches at the same time, your assumptions are correct. The backup will not take over. Actually I already have a diff that solves this issue. If you're following -current and like to test it, drop me a line. Marco
Re: Dead switch, a quick carp failover question
On Sun, Jan 01, 2006 at 12:28:42AM +, Karl O. Pinc wrote: [...] > Suppose I have 2 firewalls, one failing over to the > other with carp. (net.inet.carp.preempt=1 on > both firewalls.) Each has 3 interfaces, internet, > lan, and dmz. The dmz has, say, a webserver. > Now to connect the 2 firewalls to the webserver > an additional switch/hub is required in the physical > topology. > [...] > If the dmz interfaces go down, then does this > not shut off all the carp interfaces on both > firewalls as a group, turning off the parts > of both firewalls that are still functioning? [...] link failures on any physical interface that is used together with carp lets all carp interfaces to change their advskew to 240. This way a backup host with net.inet.carp.preempt=1 and an advskew lower than 240 can preempt all of the faulty hosts carp interfaces. In your scenario, both firewalls would chage their advskew to 240. But a takeover only happens if one has a lower advskew, not if they are equal. Therefore you should be just fine. No need for ifstated. Marco
Re: ifstated.conf documentation problem?
On Sun, Jan 01, 2006 at 01:50:58AM +, Karl O. Pinc wrote:
> man 5 ifstated.conf says:
>
> "The init block is used
> to initialise the state and is executed each time the
> state is entered."
>
> But this does not seem to be true if you use 'init-state'
> to enter the state. Or maybe there's something else
> wrong with my config below, or with ifstated when there's
> no body. Or something.
Hi,
the problem is that on state changes further set-state actions are
ignored. The patch below should fix that. The issue has already been
reported by Holger Mikolon, whose patch I slightly modified.
However, your config is way too complicated.
That here should do it:
--snip-
carp_up = "carp0.link.up"
if $carp_up
run "touch /tmp/am_master"
if ! $carp_up
run "rm /tmp/am_master"
--snip-
But feel free to test the patch as well :-)
Index: ifstated.c
===
RCS file: /cvs/src/usr.sbin/ifstated/ifstated.c,v
retrieving revision 1.22
diff -u -p -r1.22 ifstated.c
--- ifstated.c 28 Jul 2005 16:59:42 - 1.22
+++ ifstated.c 1 Jan 2006 19:10:09 -
@@ -69,7 +69,7 @@ void fetch_state(void);
void usage(void);
void adjust_expressions(struct ifsd_expression_list *, int);
void eval_state(struct ifsd_state *);
-void state_change(void);
+intstate_change(void);
void do_action(struct ifsd_action *);
void remove_action(struct ifsd_action *, struct ifsd_state *);
void remove_expression(struct ifsd_expression *, struct ifsd_state *);
@@ -494,14 +494,15 @@ eval_state(struct ifsd_state *state)
if (external == NULL || external->lastexec >= state->entered ||
external->lastexec == 0) {
do_action(state->always);
- state_change();
+ while (state_change())
+ do_action(conf->curstate->always);
}
}
/*
*If a previous action included a state change, process it.
*/
-void
+int
state_change(void)
{
if (conf->nextstate != NULL && conf->curstate != conf->nextstate) {
@@ -519,7 +520,9 @@ state_change(void)
fetch_state();
do_action(conf->curstate->init);
fetch_state();
+ return (1);
}
+ return (0);
}
/*
Re: Weird ifconfig issue
On Sat, Jun 11, 2005 at 02:12:55AM -0400, Michael Erdely wrote: [...] > $ sudo ifconfig xl0 inet alias 192.168.25.49 \ > netmask 255.255.255.255 broadcast 192.168.25.49 [...] > $ sudo ifconfig xl0 inet -alias 192.168.25.49 \ > netmask 255.255.255.255 broadcast 192.168.25.49 [...] > > Then, network connectivity is restored. Generally, I remove aliases > with just "ifconfig xl0 inet -alias 192.168.25.49", but I think it's > reasonable for an admin to try the example above. > > So... is this expected behavior? ifconfig does strange things if it's used the wrong way. And that's what most people seem to do... >From ifconfig(8): ifconfig [interface] [address_family] [address [dest_address]] [parameters] "alias" is a parameter. Therefore in your example it should be $ sudo ifconfig xl0 inet 192.168.25.49 alias \ netmask 255.255.255.255 broadcast 192.168.25.49 and $ sudo ifconfig xl0 inet 192.168.25.49 -alias \ netmask 255.255.255.255 broadcast 192.168.25.49 Marco
