[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface

Sun Jun 17 21:40:26 UTC 2018

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092

            Bug ID: 229092
           Summary: [pf] [pfsync] States created by route-to rules
                    pfsynced without interface
           Product: Base System
           Version: 11.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: vegeta at tuxpowered.net

Created attachment 194342
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=194342&action=edit
Reconstruct rt_kif in pfsync_state_import

I use FreeBSD and pf on routers and hardware loadbalancers. Routers do normal
routing and have firewalls with only block or pass rules. Loadbalancers use
route-to rules with tables of target hosts. On routers pfsync works just fine
while on loadbalancers it fails because states are synced without target
interface.

There are 2 ways to fix it:
1. Modify struct pfsync_state to include target interface, but that would be
breaking compatibility.
2. Reconstruct missing interface using rules on the second loadbalancer.

Please find attached patch solving the issue using the 2nd method. There is
still the issue of source_nodes not being synced, they probably can be
reconstructed in a similar fashion. I might provide a patch for that later on.
This the 1st version of the patch, I am not totally sure of its stability and
it is designed only to solve the issue in my particular case, that is for rules
with the following syntax: "route-to (internal4027 <pool_154571_4>)
round-robin"

-- 
You are receiving this mail because:
You are the assignee for the bug.