Thread: OpenBSD CARP/PF
View Single Post
  #9   (View Single Post)  
Old 7th November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,505
Default

First remark: from Pestilence01 – netstat –ss output:
Code:
carp:
        57331672 packets received (IPv4)
                28651650 discarded for bad authentication
                28651525 discarded for unknown vhid
        2088619 packets sent (IPv4)
        35 transitions to master
pfsync:
        3166573 packets received (IPv4)
                57793 stale states
                40786 failed state lookup/inserts
        11135591 packets sent (IPv4)
So you have 57,331,672 IPv4 packets received, of which 28,651,650 have been "discarded for bad authentication".
That is nearly 50% of the packets:
Code:
$ echo "scale=2 ; 28651650 / (57331672/100)" | bc 
49.97
I only played with carp in a network lab setting several years ago, but this doesn't seem very healthy to me

The same applies to the 28,651,525 that were discarded because of "unknown vhid".
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote