Date: Wed, 23 Jan 2019 22:47:43 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface Message-ID: <bug-229092-16861-cdBgIJvvCc@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-229092-16861@https.bugs.freebsd.org/bugzilla/> References: <bug-229092-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229092 --- Comment #15 from Kristof Provost <kp@freebsd.org> --- (In reply to Kajetan Staszkiewicz from comment #13) > - Any rule using interface IP addresses in unnamed table {} will end up b= eing different on 2 routers unless named <table> {} is used. Ah, because pf generates a random id for the table? I'd argue that that's something the rules sync script (if there is one) should account for, but I= 'd be happy to take patches to make that 'random id' predictable (and consiste= nt across hosts). > - Same thing for SNAT rules, although I'm unsure if those are included in= pfchecksum. I'm not sure what you mean by SNAT rules. The pf_setup_pfsync_matching() function checksums all rules, other than the scrub rules. > - If ruleset is dynamically generated by a script, data structure might n= ot have explicit ordering and produce different result on each run: for me = it was Python and its dictionaries and sets. I don't understand this one. It shouldn't matter how rules are generated, t= he kernel will calculate a checksum. Or do you mean to say pf should compensate for bugs in synchronisation scripts?=20 I don't really see a way around the requirement for the ruleset to be ident= ical on all pfsync synced hosts. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-229092-16861-cdBgIJvvCc>