A new version of pfsync packet is introduced: 1500. This version solves
the issues with data alignment introduced in version 1400 and adds syncing
of information needed to sync states created by rules with af-to (original
interface, af and proto separate for wire and stack keys), of rt_af
needed for prefer-ipv6-nexthop, and of tag names.
Details
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
sys/netpfil/pf/pf_ioctl.c | ||
---|---|---|
796 | return (NULL) |
Remove syncing of altq queue names, sync their IDs instead. The queue names are very long and if queues are kept identical on both routers, it will still work fine. Improve locking in tagname2tag().
sys/netpfil/pf/if_pfsync.c | ||
---|---|---|
838 | Under which conditions can queues have different ids on two routers? Can this happen even if the ruleset is eventually identical but one of routers went though some intermediate versions? Syncing wrong information could send packets to a wrong queue, potentially some very slow one. Could we not sync it at all and trust the rule if rulesets are identical, like we did previously for other synced parameters? Or introduce a checksum just for altq queues? | |
tests/sys/netpfil/pf/pfsync.sh | ||
1677 | Note to self: add a test rt_af. |
sys/netpfil/pf/if_pfsync.c | ||
---|---|---|
838 | I suspect the answer there is "If the rules/queues config has ever been different in those two pf instances". That's not ideal, but at least it's no more broken than it's ever been. |
Fix struct alignment. Add a test for rt_af, document why it can't check all cases yet.