Date: Wed, 23 Jan 2019 08:11:14 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface Message-ID: <bug-229092-16861-qsVlsGtURl@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-229092-16861@https.bugs.freebsd.org/bugzilla/> References: <bug-229092-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229092 --- Comment #13 from Kajetan Staszkiewicz <vegeta@tuxpowered.net> --- (In reply to Kristof Provost from comment #12) pfcksum only checks if loaded rules are the same, it does not ensure rules = are the same on 2 routers. There are a few ways to have different rulesets, let= me give you a little list I came across while trying to make pfsync work: - Any rule using interface IP addresses in unnamed table {} will end up bei= ng different on 2 routers unless named <table> {} is used. - Same thing for SNAT rules, although I'm unsure if those are included in pfchecksum. - If ruleset is dynamically generated by a script, data structure might not have explicit ordering and produce different result on each run: for me it = was Python and its dictionaries and sets. - In a dynamical environment it might happen that the ruleset is different = for short periods of time when new configuration is applied as it will never be applied at exactly the same time on both routers. For me on some loadbalanc= ers new configuration is applied tens of times a day. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-229092-16861-qsVlsGtURl>