Date: Wed, 14 Oct 2020 15:35:48 -0400 From: J David <j.david.lists@gmail.com> To: Kristof Provost <kp@freebsd.org> Cc: Andreas Longwitz <longwitz@incore.de>, freebsd-pf@freebsd.org Subject: Re: Packets passed by pf don't make it out? Message-ID: <CABXB=RQwZ0rKG5bvx3Qk8Ax_y1nUXhooNu5evLvY-Kw_TBYioA@mail.gmail.com> In-Reply-To: <66EA3FE1-598F-4D42-8464-5A3A5C75CD07@FreeBSD.org> References: <CABXB=RSO2UDx2=LWx7W5SigYgJcaZ3vUTR0%2BVTDJUx2QezHK1Q@mail.gmail.com> <CABXB=RQE74yggCj6=Zizb2rQjtCi=hg155J0_u=NRK2Q3QHmqg@mail.gmail.com> <5F8336C7.5020709@incore.de> <CABXB=RRdbDYyKfXUtyc9eW-P8eoX2nUb1A1Tn46MHWv5YNjT0g@mail.gmail.com> <5F84CF18.1040905@incore.de> <0072D8A9-6ACE-47D0-AE94-124C4F955735@FreeBSD.org> <CABXB=RRYSn6eXCnkhjNKuzDPTsefEUVKEQ1vZMxYfLBromW4Nw@mail.gmail.com> <F8EE4AB3-FA3F-4B79-A054-7D885141E3F6@FreeBSD.org> <CABXB=RRiksXT8g34jqQx61MaRhOHMzpasmuw4_w=3x4_6EhxXw@mail.gmail.com> <66EA3FE1-598F-4D42-8464-5A3A5C75CD07@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 14, 2020 at 3:20 PM Kristof Provost <kp@freebsd.org> wrote: > I=E2=80=99ve not dug very deep yet, but I wonder if we shouldn=E2=80=99t = have to > teach pf to change the source port to avoid conflicting states in the > first place. That was my first thought as well, framed mentally as some sort of port-only Frankenstein's binat because my level of understanding is clearly more cartoonish than yours. ;-) My second thought was to wonder if my approach is architecturally wrong. Would it make sense for the many-to-many case to use route-to instead of rdr, leave the packet unmodified, and expect every machine in the server pool to catch all the public IPs? That might still be tricky. Using rdr would presumably hit the same problem. Maybe something gross like ifconfig'ing the public pool addresses as /32's on lo0, then binding on those, maybe? Thanks!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABXB=RQwZ0rKG5bvx3Qk8Ax_y1nUXhooNu5evLvY-Kw_TBYioA>