On Wed, May 16, 2012 at 2:15 PM, Adam Strohl <adams-free...@ateamsystems.com> wrote: > Hello, > > I've noticed that when I use "synproxy state" on a rule and a connection > comes in to an IP on a CARP interface the connection opens but never gets > passed on to the process as it should. > > For example: > > pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy > state > > Will work fine if I come in to a non-CARP IP. The connection is accepted > and then brokered to SSHd. > > However on the same machine with the same rule if I come in to a CARP'd IP > it connects but hangs (not passed on to SSHd). > > If I remove the "synproxy state" portion the CARP test case works. > > I've done a bunch of flipping and testing and it seems that CARP IP + PF > rule with "synproxy state" doesn't work -- the connection will be accepted > but not passed on like it should. > > Is this known behaviour? Is there a work around? Anything else anyone > wants to know? >
Yeah its known behaviour though i am not sure there is a PR related to it. I might have a solution but not sure when i can produce a patch for this. Which FreeBSD version are you on, i thought that with carp(4) rearangment of not using ifnets this solved itself? > I've noticed this too: the physical interface seems to "include" the CARP > interfaces associated with it. That above rule I pasted applies to the CARP > interface even though its specifying "bce0" as the value for $ext_if (vs. a > rule for "carp1", etc) Is that normal/expected? > > I did notice in the docs that "synproxy state" doesn't work with bridge > interfaces, is a CARP interface maybe falling into this category? > > Any input/thoughts appreciated! > > P.S. > Please be sure to CC me, I am not subscribed to the PF mailing list. > > -- > > Adam Strohl > A-Team Systems > http://ateamsystems.com/ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" -- Ermal _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
