From nobody Mon Jun 13 12:33:54 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 69B148532F2 for ; Mon, 13 Jun 2022 12:33:58 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LM9wk2X1qz3PZF; Mon, 13 Jun 2022 12:33:58 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655123638; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=rMwThDqA+L8c8GupbOR4JuAT/6gpl6TTX2fjnPHcyLY=; b=y1+PiMbfn0/aGMoNC/QjN9O2R1ca/s+vFAgYXSU+dzN4icYssHH2gSOJcHx3lHc9KFUy2s lvfidefhx+d29kcQJxMvF7QO/wczu3/D7y0lMslRzi7aN2t0nAFZMuf/lVlI0zZfOqgVf5 do6dDyT+dNczGt52HblEyoMUquw25QOf2+S1Kuam9dP0SP1fMVVSmzmlKNsCkPX9y/Poy9 tw1HJADGRiO6Om3aG9bRL7ejEAujtfcF4ZWI7pxc4kR5Hi1IYO9lkAT2iuHIkPuQs15x3F hUeyPBk8N7X2Lhj6RDkvy5Gzj1v5PV5oi57fvbytitfzYaYv7H0k4QHLJJ6HeQ== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 0AC6D2BD95; Mon, 13 Jun 2022 12:33:58 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id A1BF91A098; Mon, 13 Jun 2022 14:33:55 +0200 (CEST) From: Kristof Provost To: Kajetan Staszkiewicz Cc: freebsd-pf@freebsd.org Subject: Re: route-to, interfaces and pfsync Date: Mon, 13 Jun 2022 14:33:54 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: In-Reply-To: <95f8e87d-2145-362b-2e37-79282054caa0@tuxpowered.net> References: <95f8e87d-2145-362b-2e37-79282054caa0@tuxpowered.net> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_602FCB38-8C30-4B32-8A59-499F580BA7FC_=" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655123638; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=rMwThDqA+L8c8GupbOR4JuAT/6gpl6TTX2fjnPHcyLY=; b=C99RXScdG8PcCalhoph6MAMyn7lLbmzWk4J+UPhLL33FGknLMXibk+diqwIDGpEx3ZT8FU PRLosmTKPKviHZZT+3QTO4OxbrAcMpVU+IWLF++xjiZIxF6XCfurCp4vUbawIESJGPTclF ZzWs9GhnoF/AcPB3KAClJtD+/l18m73kSo7820Dk+v7N2bJBUZNIFVu95PTZeFUnFEdZ2M Pef4SQqznSMN/TYZnRBMzKKZMWwuvX63yphDhOvvzVFfkSBIp38dpC+R3SBLstPHeeTwrm /hIQLJzLIcdgsXFk5aCaf/Wri3GrOU+NmVg81nd2jK6FQ/E9+jiW88e0VWGAOQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1655123638; a=rsa-sha256; cv=none; b=XfncetU63XuRcRCbfbPd7z4AeiL/O+m9QU3i1VFxxzz6PqeJMEcjAlfbKVrMGzQtQd+/jG ox1o6oU8tNMTvGvtcr9oKnqffO40+myN1PoqePoMOVnkk3iZvDb5JMJCgVVSlqV1oGhEeB qR7UWpDmY9UzBi9imCejqFzH9RMd0L18TDWnvt0ku+Ngsh3B6bhFaioioEtbO0a8Sv+AB4 fR5Rop2AcQBMQD6LspVypgAnb2lZm77gm0Rqc9CAq/X2sHJDjoclURMMkxrnX6UOK14iT3 HlYfR+ol0eEQwsQDnGq6jOCr6jCdZq/D1mx1Dm5depy+QOFWKohMhdkUkGVTWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --=_MailMate_602FCB38-8C30-4B32-8A59-499F580BA7FC_= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 13 Jun 2022, at 12:13, Kajetan Staszkiewicz wrote: > Hello Group, > > I see there is some developement = > (https://github.com/freebsd/freebsd-src/commit/81ef217ad428c29be669aac2= 166d194db31817a7) = > happening around the route-to target and pfsync. I personally took a = > different approach to the same issue = > (https://github.com/innogames/freebsd/commit/ce0b078c15a3be1aa3e608a937= 449e8448309fd2), = > because I had trouble having indentical ruleset on 2 routers forming a = > redundant pair, so that the synced state would match the ruleset. Also = > once the ruleset is changed, I think the approach which got merged = > won't really work due to the rules not being there anymore once the = > ruleset is changed. Please correct me if I'm wrong. > You=E2=80=99re correct. The fix you point to will only help if the rules = on = both sides are the same. > This brings us to OpenBSD. They have decided to drop the interface = > from route-to targets = > (https://github.com/openbsd/src/commit/5812a4ad62ca07807ac0bc59f22eb881= 3e6069bc). = > How about we do the same? If porting this change from OpenBSD has a = > chance of getting aproved and merged, I'd be willing to work on it. > That=E2=80=99s a breaking syntax change, at there=E2=80=99s at least one = major = FreeBSD/pf user that relies heavily on route-to (i.e. pfSense). So = something that=E2=80=99d break that is not going to be easy. However, (without having looked at the patch in great detail) we might = be able to support both the old style `route-to (epair0a 1.2.3.4)` and a = new `route-to (1.2.3.4)` or even `route-to (@1.2.3.4)` or something if = that disambiguates better. If we can ensure the old style keeps working = (with any limitations it currently has), which also supporting the new = style that=E2=80=99d give everyone a chance to migrate. We could then rem= ove = the old style in say 15.0. Best regards, Kristof --=_MailMate_602FCB38-8C30-4B32-8A59-499F580BA7FC_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On 13 Jun 2022, at 12:13, Kajetan Staszkiewicz wrote:

=

Hello Group,

I see there is some developement (https://github.com/freebsd/freebsd-src/commit/81ef217ad428c29be669aac2= 166d194db31817a7) happening around the route-to target and pfsync. I = personally took a different approach to the same issue (https://github.com/innogames/freebsd/commit/ce0b078c15a3be1aa3e608= a937449e8448309fd2), because I had trouble having indentical ruleset = on 2 routers forming a redundant pair, so that the synced state would mat= ch the ruleset. Also once the ruleset is changed, I think the approach wh= ich got merged won't really work due to the rules not being there anymore= once the ruleset is changed. Please correct me if I'm wrong.


You=E2=80=99re correct. The fix you point to will only he= lp if the rules on both sides are the same.

This brings us to OpenBSD. They hav= e decided to drop the interface from route-to targets (= https://github.com/openbsd/src/commit/5812a4ad62ca07807ac0bc59f22eb8813e6= 069bc). How about we do the same? If porting this change from OpenBSD= has a chance of getting aproved and merged, I'd be willing to work on it= =2E


That=E2=80=99s a breaking syntax change, at there=E2=80=99= s at least one major FreeBSD/pf user that relies heavily on route-to (i.e= =2E pfSense). So something that=E2=80=99d break that is not going to be e= asy.

However, (without having looked at the patch in great det= ail) we might be able to support both the old style route-to (epair= 0a 1.2.3.4) and a new route-to (1.2.3.4) or even route-to (@1.2.3.4) or something if that disambiguates better. I= f we can ensure the old style keeps working (with any limitations it curr= ently has), which also supporting the new style that=E2=80=99d give every= one a chance to migrate. We could then remove the old style in say 15.0.<= /p>

Best regards,
Kristof

--=_MailMate_602FCB38-8C30-4B32-8A59-499F580BA7FC_=--