From 8c74bad9f352ee33107ec1cbfa7273cb27d41a98 Mon Sep 17 00:00:00 2001 From: glebius Date: Tue, 20 Dec 2011 13:53:31 +0000 Subject: Restore a feature that was present in 5.x and 6.x, and was cleared in 7.x, 8.x and 9.x with pf(4) imports: pfsync(4) should suppress CARP preemption, while it is running its bulk update. However, reimplement the feature in more elegant manner, that is partially inspired by newer OpenBSD: - Rename term "suppression" to "demotion", to match with OpenBSD. - Keep a global demotion factor, that can be raised by several conditions, for now these are: - interface goes down - carp(4) has problems with ip_output() or ip6_output() - pfsync performs bulk update - Unlike in OpenBSD the demotion factor isn't a counter, but is actual value added to advskew. The adjustment values for particular error conditions are also configurable, and their defaults are maximum advskew value, so a single failure bumps demotion to maximum. This is for POLA compatibility, and should satisfy most users. - Demotion factor is a writable sysctl, so user can do foot shooting, if he desires to. --- contrib/pf/man/pfsync.4 | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'contrib/pf') diff --git a/contrib/pf/man/pfsync.4 b/contrib/pf/man/pfsync.4 index 451925e..b00bf9d 100644 --- a/contrib/pf/man/pfsync.4 +++ b/contrib/pf/man/pfsync.4 @@ -114,6 +114,23 @@ Either run the pfsync protocol on a trusted network \- ideally a network dedicated to pfsync messages such as a crossover cable between two firewalls, or specify a peer address and protect the traffic with .Xr ipsec 4 . +.Pp +.Nm +has the following +.Xr sysctl 8 +tunables: +.Bl -tag -width ".Va net.pfsync" +.It Va net.pfsync.carp_demotion_factor +Value added to +.Va net.inet.carp.demotion +while +.Nm +tries to perform its bulk update. +See +.Xr carp 4 +for more information. +Default value is 240. +.El .Sh EXAMPLES .Nm and -- cgit v1.1