Carp creates a wide route if "netmask" is not used when carp is configured

Tue, 22 Jan 2008 08:25:29 -0800 

  Hi,
   
  I am using isakmpd+pf+sasyncd+carp to set a VPN network (OpenBSD 4.0)
   
  Recently had a problem with carp...
   
  Basically
  ifconfig carp0 inet 172.16.140.1 255.255.255.0 advbase 1 ...
  versus
  ifconfig carp0 inet 172.16.140.1 netmask 255.255.255.0 advbase 1 ...
   
  The simple fact that I not put the word "netmask" creates a route 172.16/16 
on carp0 interface which was causing a lot of trouble. Same thing with 
/etc/hostname.carp0 if the word netmask is not there.
  On the first firewall I have:
  - external 172.16.140.1/24
  - internal 172.16.160.1/24
  On the second firewall I have:
  - external 172.16.140.2/24
  - internal 172.16.161.1/24
   
  Problem description:
  1. When the firewall is booting, it first configures the IP addresses 
(/etc/netstart).
  2. The moment carp is configured I can see a new route 172.16/16 on interface 
carp0 (using route -n show).
  3. A fraction of a second later a PC behind the first firewall sends a packet 
from the 172.16.160.2 to 172.16.161.2 (PC behind the second firewall)
  4. An entry is added to the routing table assigning the destination IP to 
carp0 interface (external) since the packet matches the 172.16/16 route.
  5. A seconds later the route is added
  route add -net 172.16.161.0/24 172.16.140.2
  but the existing route 172.16.161.2 on interface carp0 is used (which makes 
sense because the narrower route has preference)
  Now if I put the work "netmask" in the hostname.carp0 (external) and 
hostname.carp1 (internal) this route is not created. A packet coming from a PC 
  behind the firewall would be dropped as there is no route for it. A second 
later when the route is added the packets will be routed properly.
   
  The "man carp" page is correct but the other documentation
  www.openbsd.org/faq/pf/carp.html
  www.countersiege.com/doc/pfsync-carp
  www.lugbe.ch/action/reports/BSDCluster.pdf (German)
  http://www.nycbsdcon.org/2005/files/jdixon_firewall_failover.pdf
  in my opinion do not configure carp properly.
   
  What is nasty about this is that carp is configured and "ifconfig carp" shows 
everything is OK. If "netmask" is required than an error should be displayed. 
  If it's optional, then in both cases the result should be the same. I 
remember a similar problem with carp where the command line parameter order
  did matter: http://www.webservertalk.com/archive248-2007-3-1848404.html
   
  Regards,
  Catalin

       
---------------------------------
Be smarter than spam. See how smart SpamGuard is at giving junk email the boot 
with the All-new Yahoo! Mail

Reply via email to