Fwd: pfsync and asymmetric paths

Yar Tikhiy yar at comp.chem.msu.su
Fri Jun 3 04:58:46 PDT 2005


Hi folks,

I wrote the following mail to Ryan McBride, but he is likely to be
busy, so I'd like to present it here, too, for the sake of keeping
the audience informed, as well as in the hope of it reaching someone
with a clue.  Anyway, I'm going to start hacking around this issue
in a couple of weeks, when I get some free time, because it really
bites me in my network setup.

----- Forwarded message from Yar Tikhiy <yar at FreeBSD.org> -----

Let's consider the following reference configuration:

             net2            net1
              |    +-----+    |
              +----+ pf1 +----+
              |    +--+--+    |
+--------+    |       |       |    +---------+
| client +----+     pfsync    +----+ gateway +====> Internet
+--------+    |       |       |    +---------+
              |    +--+--+    |
              +----+ pf2 +----+
              |    +-----+    |

Let's assume, that routes are as follows:

on gateway: net2 reachable via pf1
on client:  default route via pf2

So we have a simple asymmetric routing case where traffic from
client to Internet goes via pf2 while traffic from Internet to
client goes back via pf1.  In the real world, such case can appear
if the network runs a routing protocol and both client and gateway
can choose either of the equal paths via pf1 and pf2.

According to my observations in OpenBSD 3.7, PF state table doesn't
seem to converge on pf1 and pf2 in this case despite pfsync is
active between them.  For an open TCP session, its state on pf1
promotes as far as to ESTABLISHED:SYN_SENT while its state on pf2
never reachs beyond SYN_SENT:CLOSED.  As soon as the TCP session
finishes, pf1 gets stuck in CLOSING:CLOSING while pf2 reachs
CLOSING:CLOSED.  This looks as though pf1 and pf2 won't re-broadcast
a state received from pfsync even if the state gets promoted locally
due to a network packet seen by this router.

Is it by design?  I'd like to make the asymmetric configuration
functional if possible at all, but I've been unable to find any
background information on the issue, such as mailing list discussions
or whatever.

Thank you in advance!

----- End forwarded message -----

-- 
Yar


More information about the freebsd-pf mailing list