Date: Tue, 19 Jul 2016 18:16:44 +0200 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: Patrick Lamaiziere <patfbsd@davenulle.org> Cc: freebsd-net@freebsd.org Subject: Re: 10/stable pfsync bulk fail Message-ID: <20160719181644.4d9997c1@mr185083> In-Reply-To: <20160713153523.1640e0e0@mr185083> References: <20160713153523.1640e0e0@mr185083>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Wed, 13 Jul 2016 15:35:23 +0200, Patrick Lamaiziere <patfbsd@davenulle.org> a écrit : Hello, > 10/stable rev 302560 > > I'm building a pair of firewalls with pf and carp and the states are > well synchronized between the firewalls. But at startup or using > "service pfsync restart" pfsync fails the bulk update. > > In rare situations the bulk is successful but I don't know why. I've made some progress on this problem and I think there are several issues. The most one is that pfsync is started by rc(8) before pf starts. And the first thing "/etc/rc.d/pf start" does is to flush the states with pfctl -F all. This flush looks to stop the bulk sync. # rcorder /etc/rc.d/* | grep pf /etc/rc.d/pfsync /etc/rc.d/pflog /etc/rc.d/pf For me this is a nonsense to start pf after pfsync for two reasons: - It flushes the states (may be acquired via the bluk sync). - the size of the pf's states table is not yet set (we have more than 800 000 states here, the default size is not enough and the easiest way to set the size is to load pf.conf). Anyway when starting pfsync after pf, the bulk sync works. There are other strange behaviors (by example when using service pfsync restart, the bulk sync does not work. Looks like it works only one time). I will investigate later and fill a PR. Regards.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160719181644.4d9997c1>