Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Camiel Dobbelaar]

On 13-3-2012 9:52, Janne Johansson wrote:
> 2012/3/4 PP;QQ P(P8P?P8QP8P= <chipits...@gmail.com>:
>> thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which
>> lead me to:
>>
>> pass quick proto carp no state
> 
> Which doesn't match the PF FAQ which says:
> "Since CARP is its own protocol it should have an explicit pass rule
> in filter rulesets:
> pass out on $carp_dev proto carp keep state"
> 
> I'll test the "no state" as soon as I can rig one of my previously
> failing boxes to not use my carppeer workaround.

I think "keep state (no-sync)" is better.  You don't want carp to get
dropped when the box gets congested and only traffic for established
states gets through.

Since this is biting lots of people maybe we should look into setting
no-sync by default on carp traffic, be it in pfctl, pf, or pfsync.