Oups, everything is OK with route-to and reply-to in pf, my bad. config for my situation must be like this scrub in all fragment reassemble pass in quick reply-to (em0 10.60.128.254) inet from any to 10.60.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.70.128.254) inet from any to 10.70.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.71.128.254) inet from any to 10.71.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.72.128.254) inet from any to 10.72.128.0/24 flags S/SA keep state pass in quick all flags S/SA keep state
or incoming traffic whould create keep-state wit pass in and would not go down to route-to rules. or use per-interface keep states. On Mon, Dec 7, 2009 at 11:30 PM, Lytochkin Boris <lytbo...@gmail.com> wrote: > there are multiple addresses on em0 (for example): > > 95.108.197.225/27 > 10.60.128.225/24 > 10.61.128.225/24 > ... > 10.70.128.225/24 > > default router is in 95.108.197.225/27 network. > > 10.X addresses are used for SLB - SLB router does DNAT and forward > client's connection to this node, so node should forward all packets > from 10.X addresses to .254 - SLB router IPs. > > ipfw config would be something like > ==== > ipfw add 60 fwd 10.60.128.254 ip from 10.60.128.0/24 to any out > ipfw add 61 fwd 10.61.128.254 ip from 10.61.128.0/24 to any out > ... > ipfw add 70 fwd 10.70.128.254 ip from 10.70.128.0/24 to any out > allow 65534 ip from any to any > ==== > > pf variant will be accordingly > ==== > scrub in all fragment reassemble > pass in all flags S/SA keep state > pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24 > to any flags S/SA keep state > ... > pass out quick route-to (em0 10.60.128.254) inet from 10.70.128.0/24 > to any flags S/SA keep state > ==== > > My box is a cluster node, not router, just simple policy-based routing > required > > > > On Mon, Dec 7, 2009 at 11:21 PM, Ermal Luçi <e...@freebsd.org> wrote: >> >> >> On Mon, Dec 7, 2009 at 8:45 PM, Lytochkin Boris <lytbo...@gmail.com> wrote: >>> >>> Hi! >>> >>> On Mon, Dec 7, 2009 at 10:29 PM, Max Laier <m...@love2party.net> wrote: >>> [cut] >>> > I just tested an install of r197983 (9.0-CURRENT) that I had on a >>> > test-box and >>> > route-to works as it is supposed to - AFAICT. FWIW, pf sets sin_len for >>> > every >>> > use. >>> > >>> > Might be a problem/mis-understanding in the OPs configuration that is >>> > the >>> > issue here? >>> > >>> > I'll follow up to the thread on -net@ is a second. >>> >>> I posted my pf config in original message to -net@: >>> ===== >>> scrub in all fragment reassemble >>> pass in all flags S/SA keep state >>> pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24 >>> to any flags S/SA keep state >>> ===== >>> >>> Pretty simple. Even when forward is disabled packets that are matched >>> by route-to rule are forwarded to default gateway instead of specified >>> in route-to. And I checked rtalloc_ign_fib() arguments when using pf - >>> seems that pf does not use this function to lookup route-to route. >>> >>> +sem@ >>> >> >> My crystal ball is broken. >> Explain your freebsd config, your network topology, some debug output and >> then it can be considered useful. >> >> There are many people using route-to on FreeBSD 8 so it would have come up >> before. >> >>> >>> -- >>> Regards, >>> Boris Lytochkin >> >> >> >> -- >> Ermal >> > _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
