On 2015-11-07 21:36:28 (+0100), Miłosz Kaniewski <[email protected]> wrote: > 2015-10-12 16:28 GMT+02:00 David DeSimone <[email protected]>: > But unfortunately I still have a problem with 'dup-to' option. I hope you > don't > mind if I will describe it here, as it is still connected with network > scheme I > used in my first post. > > As I explained 'dup-to' option is useful only when it is used with next-hop > parameter. So in my configuration from first post I made these changes: > > pass out on em0 dup-to (em2 10.0.0.1) no state > pass out on em1 dup-to (em2 10.0.0.1) no state > > IP address 10.0.0.1 is accessible through em2 interface. And with that > configuration everything works fine and duplicated packets are send through > em2 > interface without any problems. But I tried to make a little change and used > one stateful rule: > > pass out on em1 dup-to (em2 10.0.0.1) > > And with that configuration something strange is happening. Packets are > still > duplicated and correctly sent through em2 interface but there are too much > of > them. It looks like some of the packets are duplicated to many times. Lets > say > I send ICMP ping that goes through em1. On em2 i should see two packets: > ICMP > request and ICMP reply. But I see two identical ICMP requests and one ICMP > reply. So there are 3 packets instead of two.
Yeah, I see the same thing in my test setup. I'll try to investigate it soon. > I don't want to fill bug report yet. First I would like to hear your opinion > about this behaviour. And it would be great if someone would check similar > situation and confirm that this problem really exists. > It certainly looks wrong. I can also reproduce your observation that this doesn't happen when 'no state' is added to the rule. Regards, Kristof _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
