Joerg Zinke([email protected]) on 2012.01.03 21:42:08 +0100: > Hi, > > Am 03.01.2012 um 20:37 schrieb Sebastian Benoit <[email protected]>: > > > Daniel an I found a rather bizarre problem with round-robin tables in pf. > > > > We have a relayd setup with two webservers (IP's $A and $B). We observed > > that > > when one of the webservers went down, so did the loadbalanced service (on IP > > $C). > > > > We first noticed this in 2011-11 when deploying a pair of carped > > loadbalancers (running current) and debugged and narrowed it down to this > > case, > > independently reproducible without relayd: > > > > (pf.conf contains an anchor "relayd/*") > > > > $ cat /etc/pf.testrule > > pass in quick on rdomain 0 inet proto tcp from any \ > > to $C port = 80 flags S/SA \ > > keep state (tcp.established 600) tag RELAYDHTTP \ > > rdr-to <http_foo> port 80 round-robin prio 0 > > > > $ pfctl -a relayd/http_foo -t http_foo -T add $A > > $ pfctl -a relayd/http_foo -t http_foo -T add $B > > $ pfctl -f /etc/pf.testrule -a relayd/http_foo > > > > This results in a working loadblanced setup: > > > > $ pfctl -a relayd/http_foo -t http_foo -T show > > $A > > $B > > > > Now consider the case where an IP is deleted from the table http_foo: > > > > $ pfctl -a relayd/http_foo -t http_foo -T delete $A > > > > or > > > > $ pfctl -a relayd/http_foo -t http_foo -T delete $B > > > > The bug triggers when this delete happens right after the _last_ redirection > > address was $B, and $C becomes inaccesible. > > > > It is independet of which of the addresses gets deleted, but the output > > _order_ of $A > > and $B when printing the table with "-T show" is important. > > Can you confirm that this bug happens in a plain PF setup also (i.e. without > relayd beeing involved)?
Yes, i just chose to use the relayd anchor (as in the commands above), but in most of my test, especially today when i checked different kernels relayd was never started. /Benno
