udp - weird behavior of reply-to
Marek Zarychta
zarychtam at plan-b.pwste.edu.pl
Sun Jan 8 15:05:33 UTC 2017
For a long period of time, I have been using reply-to rules for a few
TCP and one UDP service which had been introduced for HA reasons and are
used quite rarely.
After upgrade to 11-STABLE the rules for TCP traffic work as expected,
providing kind of symmetric routing, but UDP traffic ignores reply-to
directive and UDP service is responding only partially via default
gateway.
Worse, only one UDP segment passes in one direction for UDP service. As
a result, the whole communication is broken.
PF states look like this:
all udp 88.199.x.x:1197 <- 62.x.y.z:58781 NO_TRAFFIC:SINGLE
all udp 88.199.y.y:1197 -> 62.x.y.z:58781 SINGLE:NO_TRAFFIC
Similar rule for tcp traffic works flawlessly:
all tcp 88.199.x.x:50001 <- 62.x.y.z:56330 ESTABLISHED:ESTABLISHED
It is not an underlying service issue, additional tests were performed
using netcat.
The rules weren't changed, at least since the machine was running
9-STABLE and then everything worked correctly.
The machine is currently running 11.0-STABLE r311637 compiled for i386
arch.
Is it a bug to be officially submitted or it will not be possible to use
reply-to for UDP traffic anymore?
--
Marek Zarychta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20170108/e752fa24/attachment.sig>
More information about the freebsd-pf
mailing list