[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Jan 23 08:11:16 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092
--- Comment #13 from Kajetan Staszkiewicz <vegeta at tuxpowered.net> ---
(In reply to Kristof Provost from comment #12)
pfcksum only checks if loaded rules are the same, it does not ensure rules are
the same on 2 routers. There are a few ways to have different rulesets, let me
give you a little list I came across while trying to make pfsync work:
- Any rule using interface IP addresses in unnamed table {} will end up being
different on 2 routers unless named <table> {} is used.
- Same thing for SNAT rules, although I'm unsure if those are included in
pfchecksum.
- If ruleset is dynamically generated by a script, data structure might not
have explicit ordering and produce different result on each run: for me it was
Python and its dictionaries and sets.
- In a dynamical environment it might happen that the ruleset is different for
short periods of time when new configuration is applied as it will never be
applied at exactly the same time on both routers. For me on some loadbalancers
new configuration is applied tens of times a day.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list