10/stable pfsync bulk fail
Patrick Lamaiziere
patfbsd at davenulle.org
Tue Jul 19 16:16:58 UTC 2016
Le Wed, 13 Jul 2016 15:35:23 +0200,
Patrick Lamaiziere <patfbsd at davenulle.org> a écrit :
Hello,
> 10/stable rev 302560
>
> I'm building a pair of firewalls with pf and carp and the states are
> well synchronized between the firewalls. But at startup or using
> "service pfsync restart" pfsync fails the bulk update.
>
> In rare situations the bulk is successful but I don't know why.
I've made some progress on this problem and I think there are several
issues.
The most one is that pfsync is started by rc(8) before pf starts. And
the first thing "/etc/rc.d/pf start" does is to flush the states with
pfctl -F all. This flush looks to stop the bulk sync.
# rcorder /etc/rc.d/* | grep pf
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
For me this is a nonsense to start pf after pfsync for two reasons:
- It flushes the states (may be acquired via the bluk sync).
- the size of the pf's states table is not yet set (we have more than
800 000 states here, the default size is not enough and the easiest
way to set the size is to load pf.conf).
Anyway when starting pfsync after pf, the bulk sync works.
There are other strange behaviors (by example when using service pfsync
restart, the bulk sync does not work. Looks like it works only
one time). I will investigate later and fill a PR.
Regards.
More information about the freebsd-net
mailing list