Hello,
I've just upgraded some of our 6-STABLE servers to 7-STABLE to notice
that pf reply-to for directly connected IPs seems to be broken.
I have the following relevant rule in pf.conf:
pass in on $ext_if reply-to ( $ext_if csmvip ) proto tcp from any to any
port 25 label "mxtraffic-tcp" keep state
which routes incoming SMTP connections (to be exact, the replies to
them) to the csmvip host, which is a load balancer. This is needed
because the LB doesn't do source NAT (it does destination NAT however to
direct traffic addressed to its virtual IP to the real servers' IPs),
and the servers have a different default route than the LB. This way the
servers reply to the LB, so it can rewrite the replies' source address
to its virtual IP, so the client will see the correct IP (the LB's
virtual IP) in the address, instead of the host's real address.
It seems that this still works in 7-STABLE for the internet (not
directly connected) hosts, but not for directly connected hosts, for
example the ones, which are in the same subnet as my servers.
To overcome this, I've had to add static ARP entries to the servers, to
tell that the clients' hardware address is the address of the load
balancer, but it would be better if the previous behaviour (as in
6-STABLE) could be restored.
Could anybody help to resolve this?
Thanks,
--
Attila Nagy e-mail: [EMAIL PROTECTED]
Free Software Network (FSN.HU) phone: +3630 306 6758
http://www.fsn.hu/
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
