From owner-freebsd-net@FreeBSD.ORG Thu Mar 6 08:54:09 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43A41106566B for ; Thu, 6 Mar 2008 08:54:09 +0000 (UTC) (envelope-from bra@fsn.hu) Received: from people.fsn.hu (people.fsn.hu [195.228.252.137]) by mx1.freebsd.org (Postfix) with ESMTP id 09D958FC20 for ; Thu, 6 Mar 2008 08:54:08 +0000 (UTC) (envelope-from bra@fsn.hu) Received: from japan.t-online.private (people [192.168.2.4]) by people.fsn.hu (Postfix) with ESMTP id E3DEC8B236 for ; Thu, 6 Mar 2008 09:36:23 +0100 (CET) Message-ID: <47CFAD07.6020008@fsn.hu> Date: Thu, 06 Mar 2008 09:36:23 +0100 From: Attila Nagy User-Agent: Thunderbird 2.0.0.9 (X11/20080213) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Subject: pf reply-to broken in RELENG_7 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 08:54:09 -0000 Hello, I've just upgraded some of our 6-STABLE servers to 7-STABLE to notice that pf reply-to for directly connected IPs seems to be broken. I have the following relevant rule in pf.conf: pass in on $ext_if reply-to ( $ext_if csmvip ) proto tcp from any to any port 25 label "mxtraffic-tcp" keep state which routes incoming SMTP connections (to be exact, the replies to them) to the csmvip host, which is a load balancer. This is needed because the LB doesn't do source NAT (it does destination NAT however to direct traffic addressed to its virtual IP to the real servers' IPs), and the servers have a different default route than the LB. This way the servers reply to the LB, so it can rewrite the replies' source address to its virtual IP, so the client will see the correct IP (the LB's virtual IP) in the address, instead of the host's real address. It seems that this still works in 7-STABLE for the internet (not directly connected) hosts, but not for directly connected hosts, for example the ones, which are in the same subnet as my servers. To overcome this, I've had to add static ARP entries to the servers, to tell that the clients' hardware address is the address of the load balancer, but it would be better if the previous behaviour (as in 6-STABLE) could be restored. Could anybody help to resolve this? Thanks, -- Attila Nagy e-mail: Attila.Nagy@fsn.hu Free Software Network (FSN.HU) phone: +3630 306 6758 http://www.fsn.hu/