[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Jan 23 22:47:45 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092
--- Comment #15 from Kristof Provost <kp at freebsd.org> ---
(In reply to Kajetan Staszkiewicz from comment #13)
> - Any rule using interface IP addresses in unnamed table {} will end up being different on 2 routers unless named <table> {} is used.
Ah, because pf generates a random id for the table? I'd argue that that's
something the rules sync script (if there is one) should account for, but I'd
be happy to take patches to make that 'random id' predictable (and consistent
across hosts).
> - Same thing for SNAT rules, although I'm unsure if those are included in pfchecksum.
I'm not sure what you mean by SNAT rules. The pf_setup_pfsync_matching()
function checksums all rules, other than the scrub rules.
> - If ruleset is dynamically generated by a script, data structure might not have explicit ordering and produce different result on each run: for me it was Python and its dictionaries and sets.
I don't understand this one. It shouldn't matter how rules are generated, the
kernel will calculate a checksum. Or do you mean to say pf should compensate
for bugs in synchronisation scripts?
I don't really see a way around the requirement for the ruleset to be identical
on all pfsync synced hosts.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list