Date: Thu, 06 Mar 2008 09:36:23 +0100 From: Attila Nagy <bra@fsn.hu> To: freebsd-net@freebsd.org Subject: pf reply-to broken in RELENG_7 Message-ID: <47CFAD07.6020008@fsn.hu>
next in thread | raw e-mail | index | archive | help
Hello, I've just upgraded some of our 6-STABLE servers to 7-STABLE to notice that pf reply-to for directly connected IPs seems to be broken. I have the following relevant rule in pf.conf: pass in on $ext_if reply-to ( $ext_if csmvip ) proto tcp from any to any port 25 label "mxtraffic-tcp" keep state which routes incoming SMTP connections (to be exact, the replies to them) to the csmvip host, which is a load balancer. This is needed because the LB doesn't do source NAT (it does destination NAT however to direct traffic addressed to its virtual IP to the real servers' IPs), and the servers have a different default route than the LB. This way the servers reply to the LB, so it can rewrite the replies' source address to its virtual IP, so the client will see the correct IP (the LB's virtual IP) in the address, instead of the host's real address. It seems that this still works in 7-STABLE for the internet (not directly connected) hosts, but not for directly connected hosts, for example the ones, which are in the same subnet as my servers. To overcome this, I've had to add static ARP entries to the servers, to tell that the clients' hardware address is the address of the load balancer, but it would be better if the previous behaviour (as in 6-STABLE) could be restored. Could anybody help to resolve this? Thanks, -- Attila Nagy e-mail: Attila.Nagy@fsn.hu Free Software Network (FSN.HU) phone: +3630 306 6758 http://www.fsn.hu/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47CFAD07.6020008>