[Bug 226850] [pf] Matching but failed rules block without return
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Mar 23 11:50:45 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226850
--- Comment #4 from vegeta at tuxpowered.net ---
The exact situation looks like this: I use PF for loadbalacing with "route-to"
target and also as firewall preventing servers in datacenter from accessing the
Internet.
Each "route-to" rule has a table of targets for loadbalancing ("pool") and this
table is controlled by a tool which runs health checks against servers which
can serve traffic.
If all servers in a pool are not healthy, there is nobody to serve the traffic.
Requests to such pool are "sinking" into the firewall, SYNs are never responded
to. It works pretty bad for pools serving various APIs because it causes very
long waits on clients.
There are other reasons for the behaviour, mainly failed state or src-node
creation or insertion.
One could argue that my situation is very specific but I still consider this a
general bug or at least unexpected behaviour: while a "block" rule can be
configured to drop or return, a "pass" rule is always expected to pass. Which
is not true. And should such situation happen, outcome is not documented and
not configurable.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list