Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 May 2007 22:57:17 +0100
From:      Tom Judge <tom@tomjudge.com>
To:        David DeSimone <fox@verio.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Packet Path Through PF (onec for each interface?)
Message-ID:  <464B7E3D.1030507@tomjudge.com>
In-Reply-To: <20070516213836.GB22335@verio.net>
References:  <464B487C.1050301@tomjudge.com> <20070516195948.GA22335@verio.net> <464B6A29.2020107@tomjudge.com> <20070516213836.GB22335@verio.net>

next in thread | previous in thread | raw e-mail | index | archive | help
David DeSimone wrote:
> Tom Judge <tom@tomjudge.com> wrote:
>> According to the diagram that Greg sent a link to state is checked for
>> every interface.  However is the state information tied to an
>> interface?
> 
> The answer is determined by the state-policy.  In your configuration you
> can set state-policy to "if-bound" or "group-bound" or "floating".
> 
> If you choose "if-bound", the state will stick to the interface chosen
> at time of initial evaluation of the rule.  If packets start to flow
> through different interfaces, they will fail to match the state, and
> this will require a rulebase evaluation to be performed in order to
> determine if traffic should continue to flow.
> 
> If you choose "floating" (which is the default), state is not bound to
> any particular interface, and it will not matter whether the packets
> arrive or leave on the same interfaces; only that the packet contents
> match the defined state.  With this setting, I believe that your rule
> would only be evaluated once, and as long as the state entry lasts, PF
> will only examine the packets as far as state, and will skip the
> rulebase evaluation.  It will perform this state evaluation TWICE, once
> for ingress, again for egress.
> 

So this introduces a new problem with my HA configuration,  how is 
pfsync going to deal with state information that is interface bound when 
the interfaces on the difference boxes have different names?

eg:

em0-|-[Router]-|-em2
em1-|          |-em3
  |
  | pfsync
  |
bge1-|-[Router]-|-bce0
bge0-|          |-bce1


Where the following interfaces are from each box are connected to the 
same network.

em0 and bge0
em2 and bce0
em3 and bce1

Do all the interface names have to match on the HA pair?

Tom




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?464B7E3D.1030507>