Thread: OpenBSD CARP/PF
View Single Post
  #9   (View Single Post)  
Old 7th November 2011
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,507

First remark: from Pestilence01 – netstat –ss output:
        57331672 packets received (IPv4)
                28651650 discarded for bad authentication
                28651525 discarded for unknown vhid
        2088619 packets sent (IPv4)
        35 transitions to master
        3166573 packets received (IPv4)
                57793 stale states
                40786 failed state lookup/inserts
        11135591 packets sent (IPv4)
So you have 57,331,672 IPv4 packets received, of which 28,651,650 have been "discarded for bad authentication".
That is nearly 50% of the packets:
$ echo "scale=2 ; 28651650 / (57331672/100)" | bc 
I only played with carp in a network lab setting several years ago, but this doesn't seem very healthy to me

The same applies to the 28,651,525 that were discarded because of "unknown vhid".
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote