From owner-freebsd-net@freebsd.org Tue Jul 19 16:16:58 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4967EB9E165 for ; Tue, 19 Jul 2016 16:16:58 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from sender163-mail.zoho.com (sender163-mail.zoho.com [74.201.84.163]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2A45015AF for ; Tue, 19 Jul 2016 16:16:57 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from mr185083 (mr185083.univ-rennes1.fr [129.20.185.83]) by mx.zohomail.com with SMTPS id 1468945013578333.6112500281413; Tue, 19 Jul 2016 09:16:53 -0700 (PDT) Date: Tue, 19 Jul 2016 18:16:44 +0200 From: Patrick Lamaiziere To: Patrick Lamaiziere Cc: freebsd-net@freebsd.org Subject: Re: 10/stable pfsync bulk fail Message-ID: <20160719181644.4d9997c1@mr185083> In-Reply-To: <20160713153523.1640e0e0@mr185083> References: <20160713153523.1640e0e0@mr185083> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd10.3) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-ZohoMail: Z_59798685 SPT_1 Z_59799992 SPT_1 SLF_D X-Zoho-Virus-Status: 2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 16:16:58 -0000 Le Wed, 13 Jul 2016 15:35:23 +0200, Patrick Lamaiziere a écrit : Hello, > 10/stable rev 302560 > > I'm building a pair of firewalls with pf and carp and the states are > well synchronized between the firewalls. But at startup or using > "service pfsync restart" pfsync fails the bulk update. > > In rare situations the bulk is successful but I don't know why. I've made some progress on this problem and I think there are several issues. The most one is that pfsync is started by rc(8) before pf starts. And the first thing "/etc/rc.d/pf start" does is to flush the states with pfctl -F all. This flush looks to stop the bulk sync. # rcorder /etc/rc.d/* | grep pf /etc/rc.d/pfsync /etc/rc.d/pflog /etc/rc.d/pf For me this is a nonsense to start pf after pfsync for two reasons: - It flushes the states (may be acquired via the bluk sync). - the size of the pf's states table is not yet set (we have more than 800 000 states here, the default size is not enough and the easiest way to set the size is to load pf.conf). Anyway when starting pfsync after pf, the bulk sync works. There are other strange behaviors (by example when using service pfsync restart, the bulk sync does not work. Looks like it works only one time). I will investigate later and fill a PR. Regards.