Date: Wed, 16 May 2012 19:15:37 +0700 From: Adam Strohl <adams-freebsd@ateamsystems.com> To: freebsd-pf@freebsd.org Subject: PF "synproxy state" doesn't work on CARP IPs Message-ID: <4FB39A69.2030706@ateamsystems.com>
next in thread | raw e-mail | index | archive | help
Hello, I've noticed that when I use "synproxy state" on a rule and a connection comes in to an IP on a CARP interface the connection opens but never gets passed on to the process as it should. For example: pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state Will work fine if I come in to a non-CARP IP. The connection is accepted and then brokered to SSHd. However on the same machine with the same rule if I come in to a CARP'd IP it connects but hangs (not passed on to SSHd). If I remove the "synproxy state" portion the CARP test case works. I've done a bunch of flipping and testing and it seems that CARP IP + PF rule with "synproxy state" doesn't work -- the connection will be accepted but not passed on like it should. Is this known behaviour? Is there a work around? Anything else anyone wants to know? I've noticed this too: the physical interface seems to "include" the CARP interfaces associated with it. That above rule I pasted applies to the CARP interface even though its specifying "bce0" as the value for $ext_if (vs. a rule for "carp1", etc) Is that normal/expected? I did notice in the docs that "synproxy state" doesn't work with bridge interfaces, is a CARP interface maybe falling into this category? Any input/thoughts appreciated! P.S. Please be sure to CC me, I am not subscribed to the PF mailing list. -- Adam Strohl A-Team Systems http://ateamsystems.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FB39A69.2030706>