Packets passed by pf don't make it out?
J David
j.david.lists at gmail.com
Wed Oct 14 19:36:02 UTC 2020
On Wed, Oct 14, 2020 at 3:20 PM Kristof Provost <kp at freebsd.org> wrote:
> I’ve not dug very deep yet, but I wonder if we shouldn’t have to
> teach pf to change the source port to avoid conflicting states in the
> first place.
That was my first thought as well, framed mentally as some sort of
port-only Frankenstein's binat because my level of understanding is
clearly more cartoonish than yours. ;-)
My second thought was to wonder if my approach is architecturally
wrong. Would it make sense for the many-to-many case to use route-to
instead of rdr, leave the packet unmodified, and expect every machine
in the server pool to catch all the public IPs?
That might still be tricky. Using rdr would presumably hit the same
problem. Maybe something gross like ifconfig'ing the public pool
addresses as /32's on lo0, then binding on those, maybe?
Thanks!
More information about the freebsd-pf
mailing list