Date: Wed, 23 Jan 2019 08:11:14 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface Message-ID: <bug-229092-16861-qsVlsGtURl@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-229092-16861@https.bugs.freebsd.org/bugzilla/> References: <bug-229092-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092 --- Comment #13 from Kajetan Staszkiewicz <vegeta@tuxpowered.net> --- (In reply to Kristof Provost from comment #12) pfcksum only checks if loaded rules are the same, it does not ensure rules are the same on 2 routers. There are a few ways to have different rulesets, let me give you a little list I came across while trying to make pfsync work: - Any rule using interface IP addresses in unnamed table {} will end up being different on 2 routers unless named <table> {} is used. - Same thing for SNAT rules, although I'm unsure if those are included in pfchecksum. - If ruleset is dynamically generated by a script, data structure might not have explicit ordering and produce different result on each run: for me it was Python and its dictionaries and sets. - In a dynamical environment it might happen that the ruleset is different for short periods of time when new configuration is applied as it will never be applied at exactly the same time on both routers. For me on some loadbalancers new configuration is applied tens of times a day. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-229092-16861-qsVlsGtURl>