Date: Thu, 26 Nov 2015 22:11:00 +0100 From: =?UTF-8?Q?Mi=C5=82osz_Kaniewski?= <milosz.kaniewski@gmail.com> To: Kristof Provost <kp@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: Re: Creating span interface using 'dup-to' option Message-ID: <CAC4mxp7MRQROTB6yZeXPy4Qi_MAhDYU91yD27Re4aR-wfndmQw@mail.gmail.com> In-Reply-To: <20151122191458.GD2307@vega.codepro.be> References: <CAC4mxp5ar-Kvp5238VRfKEL6FiVOg7XXzmv8fE-zdEFYRk7cAw@mail.gmail.com> <SN1PR08MB18210835207E194932EBB485BA310@SN1PR08MB1821.namprd08.prod.outlook.com> <CAC4mxp77FrDvT%2B1J%2BdQqrgc_ji3vmbMZOkYnXae%2BD2L1PanK1g@mail.gmail.com> <20151108000315.GC2336@vega.codepro.be> <20151108192951.GD2336@vega.codepro.be> <CAC4mxp7B5tYErUX%2Bh0803eQhRY2XzXCFpLP7=2ESJPQtVupczA@mail.gmail.com> <CAC4mxp6wvMe9EWqXYzNG=FEA2HO-kNqmdLrUjs8nHJUODTucUw@mail.gmail.com> <20151115173349.GE13268@vega.codepro.be> <20151122191458.GD2307@vega.codepro.be>
next in thread | previous in thread | raw e-mail | index | archive | help
2015-11-22 20:14 GMT+01:00 Kristof Provost <kp@freebsd.org>: > On 2015-11-15 18:33:49 (+0100), Kristof Provost <kp@FreeBSD.org> wrote: > > On the other hand, perhaps there's something we can do about the state > > matching. The problems all start because we match state on the > > duplicated packet. That's not correct, because the rule is set on e.g. > > em0, but the duplicated packet is sent out on em1. > > In fact, from a first reading of the code I don't actually understand > > why we're getting that state match. > > > I've looked at the state matching for a bit. It turns out that by > default packets will match state on any interface (specifically, the > state is saved to the 'all' interface, rather than to the specific > interface it was created on). > That default can be changed with 'set state-policy if-bound'. I'd expect > adding that would work around the problem you see. > Thanks, it did the trick :) I made couple of tests and my dup-to options started to duplicate packets in a right way when I set 'if-bound' policy. I didn't know that it is possible to control packets states policy. At beginning I was surprised that default behaviour is to make states floating between interfaces. But now I think that it can have sense. For example in my case I use pf to forward hundreds of thousands of connections. If I would use floating state policy then I would have as many states as connections. But if I switch to 'if-bound' policy then I would get two times more states than connection= s (one state for original interface and one for interface where packets are duplicated with dup-to). So i think that this workaround is very useful and in many cases it would b= e sufficient. But there are some scenarios, like mine, where floating states could provide big profits and it would be really nice if We could use them. Thank you very much for your help with my problem. Best regards, Mi=C5=82osz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC4mxp7MRQROTB6yZeXPy4Qi_MAhDYU91yD27Re4aR-wfndmQw>