pf reply-to broken in RELENG_7

[Max Laier]

Am Do, 6.03.2008, 09:36, schrieb Attila Nagy:
> Hello,
>
> I've just upgraded some of our 6-STABLE servers to 7-STABLE to notice
> that pf reply-to for directly connected IPs seems to be broken.
>
> I have the following relevant rule in pf.conf:
> pass in on $ext_if reply-to ( $ext_if csmvip ) proto tcp from any to any
> port 25 label "mxtraffic-tcp" keep state
>
> which routes incoming SMTP connections (to be exact, the replies to
> them) to the csmvip host, which is a load balancer. This is needed
> because the LB doesn't do source NAT (it does destination NAT however to
> direct traffic addressed to its virtual IP to the real servers' IPs),
> and the servers have a different default route than the LB. This way the
> servers reply to the LB, so it can rewrite the replies' source address
> to its virtual IP, so the client will see the correct IP (the LB's
> virtual IP) in the address, instead of the host's real address.
>
> It seems that this still works in 7-STABLE for the internet (not
> directly connected) hosts, but not for directly connected hosts, for
> example the ones, which are in the same subnet as my servers.
> To overcome this, I've had to add static ARP entries to the servers, to
> tell that the clients' hardware address is the address of the load
> balancer, but it would be better if the previous behaviour (as in
> 6-STABLE) could be restored.
>
> Could anybody help to resolve this?

Might be the lack of sleep and coffee, but I can't quite figure out the
network layout you are talking about.  Could you draw up a small example
setup so I can follow?  Or at least (pseudo-)IP addresses for client,
load-balancer, pf-box and servers?

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News