David DeSimone wrote:
Tom Judge <[EMAIL PROTECTED]> wrote:
According to the diagram that Greg sent a link to state is checked for
every interface. However is the state information tied to an
interface?
The answer is determined by the state-policy. In your configuration you
can set state-policy to "if-bound" or "group-bound" or "floating".
If you choose "if-bound", the state will stick to the interface chosen
at time of initial evaluation of the rule. If packets start to flow
through different interfaces, they will fail to match the state, and
this will require a rulebase evaluation to be performed in order to
determine if traffic should continue to flow.
If you choose "floating" (which is the default), state is not bound to
any particular interface, and it will not matter whether the packets
arrive or leave on the same interfaces; only that the packet contents
match the defined state. With this setting, I believe that your rule
would only be evaluated once, and as long as the state entry lasts, PF
will only examine the packets as far as state, and will skip the
rulebase evaluation. It will perform this state evaluation TWICE, once
for ingress, again for egress.
So this introduces a new problem with my HA configuration, how is
pfsync going to deal with state information that is interface bound when
the interfaces on the difference boxes have different names?
eg:
em0-|-[Router]-|-em2
em1-| |-em3
|
| pfsync
|
bge1-|-[Router]-|-bce0
bge0-| |-bce1
Where the following interfaces are from each box are connected to the
same network.
em0 and bge0
em2 and bce0
em3 and bce1
Do all the interface names have to match on the HA pair?
Tom
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
