From owner-freebsd-pf@FreeBSD.ORG Fri Jun 3 11:58:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C42D216A41C for ; Fri, 3 Jun 2005 11:58:46 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04A6843D49 for ; Fri, 3 Jun 2005 11:58:45 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j53BwiXo015977 for ; Fri, 3 Jun 2005 15:58:44 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j53Bwhp8015972 for freebsd-pf@freebsd.org; Fri, 3 Jun 2005 15:58:44 +0400 (MSD) (envelope-from yar) Date: Fri, 3 Jun 2005 15:58:43 +0400 From: Yar Tikhiy To: freebsd-pf@freebsd.org Message-ID: <20050603115843.GA15561@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.9i Subject: Fwd: pfsync and asymmetric paths X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jun 2005 11:58:46 -0000 Hi folks, I wrote the following mail to Ryan McBride, but he is likely to be busy, so I'd like to present it here, too, for the sake of keeping the audience informed, as well as in the hope of it reaching someone with a clue. Anyway, I'm going to start hacking around this issue in a couple of weeks, when I get some free time, because it really bites me in my network setup. ----- Forwarded message from Yar Tikhiy ----- Let's consider the following reference configuration: net2 net1 | +-----+ | +----+ pf1 +----+ | +--+--+ | +--------+ | | | +---------+ | client +----+ pfsync +----+ gateway +====> Internet +--------+ | | | +---------+ | +--+--+ | +----+ pf2 +----+ | +-----+ | Let's assume, that routes are as follows: on gateway: net2 reachable via pf1 on client: default route via pf2 So we have a simple asymmetric routing case where traffic from client to Internet goes via pf2 while traffic from Internet to client goes back via pf1. In the real world, such case can appear if the network runs a routing protocol and both client and gateway can choose either of the equal paths via pf1 and pf2. According to my observations in OpenBSD 3.7, PF state table doesn't seem to converge on pf1 and pf2 in this case despite pfsync is active between them. For an open TCP session, its state on pf1 promotes as far as to ESTABLISHED:SYN_SENT while its state on pf2 never reachs beyond SYN_SENT:CLOSED. As soon as the TCP session finishes, pf1 gets stuck in CLOSING:CLOSING while pf2 reachs CLOSING:CLOSED. This looks as though pf1 and pf2 won't re-broadcast a state received from pfsync even if the state gets promoted locally due to a network packet seen by this router. Is it by design? I'd like to make the asymmetric configuration functional if possible at all, but I've been unable to find any background information on the issue, such as mailing list discussions or whatever. Thank you in advance! ----- End forwarded message ----- -- Yar