From owner-freebsd-pf@FreeBSD.ORG Wed May 16 21:56:05 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1041716A415 for ; Wed, 16 May 2007 21:56:05 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp804.mail.ird.yahoo.com (smtp804.mail.ird.yahoo.com [217.146.188.64]) by mx1.freebsd.org (Postfix) with SMTP id 5C21F13C4BE for ; Wed, 16 May 2007 21:56:03 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 60217 invoked from network); 16 May 2007 21:56:02 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@86.140.150.175 with plain) by smtp804.mail.ird.yahoo.com with SMTP; 16 May 2007 21:56:02 -0000 X-YMail-OSG: n2xaizwVM1mde4rhYz1PUwAHQOjRLJVUE3JeTb_8I57PMV7Q Message-ID: <464B7E3D.1030507@tomjudge.com> Date: Wed, 16 May 2007 22:57:17 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: David DeSimone References: <464B487C.1050301@tomjudge.com> <20070516195948.GA22335@verio.net> <464B6A29.2020107@tomjudge.com> <20070516213836.GB22335@verio.net> In-Reply-To: <20070516213836.GB22335@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 21:56:05 -0000 David DeSimone wrote: > Tom Judge wrote: >> According to the diagram that Greg sent a link to state is checked for >> every interface. However is the state information tied to an >> interface? > > The answer is determined by the state-policy. In your configuration you > can set state-policy to "if-bound" or "group-bound" or "floating". > > If you choose "if-bound", the state will stick to the interface chosen > at time of initial evaluation of the rule. If packets start to flow > through different interfaces, they will fail to match the state, and > this will require a rulebase evaluation to be performed in order to > determine if traffic should continue to flow. > > If you choose "floating" (which is the default), state is not bound to > any particular interface, and it will not matter whether the packets > arrive or leave on the same interfaces; only that the packet contents > match the defined state. With this setting, I believe that your rule > would only be evaluated once, and as long as the state entry lasts, PF > will only examine the packets as far as state, and will skip the > rulebase evaluation. It will perform this state evaluation TWICE, once > for ingress, again for egress. > So this introduces a new problem with my HA configuration, how is pfsync going to deal with state information that is interface bound when the interfaces on the difference boxes have different names? eg: em0-|-[Router]-|-em2 em1-| |-em3 | | pfsync | bge1-|-[Router]-|-bce0 bge0-| |-bce1 Where the following interfaces are from each box are connected to the same network. em0 and bge0 em2 and bce0 em3 and bce1 Do all the interface names have to match on the HA pair? Tom