Hi Simon,

1- pf divert-reply,
The issue with pf i think is the following text 'yyerror("divert-reply
has no meaning in FreeBSD pf(4)");' in /sbin/pfctl/parse.y
Was surprised to find it. Even though the option is listed on the man pages.

So it sounds like it is not possible with a current native FreeBSD install.
I anyway haven't been successful in writing a firewallrule that contains
divert-reply and can be validated by pfctl. I do think that would be the
best solution reading the text in the man page it seems exactly what is
needed.. Catching reply packets for a nonlocal socket.

Where you able to write such a firewall rule?

I'm now trying to manually merge a old patch i found online..
Seems some parts are present already while other are 'missing' in the
current sources...
Not sure if that will work out working as some bitflags are used already
for other options and i am not sure if thats resolvable by me.

2- crash on FreeBSD,
Ive not seen it myself, but another user did report on FreeBSD8.3
(pfSense 2.1) that he also experiences crashes with dev20 and dev22 .

About 3 and 4 i have no clue..


k simon schreef op 20-3-2014 16:12:
> Hi,lists,
>   I tested dev22 on FreeBSD 10-stable recently, and found:
> 1. "ipfw fwd" works well with dev22+tproxy. It's have a nice guide in
> the /usr/local/share/examples.
> But pf's divert-to and divert-reply can't work with haproxy. Maybe
> haproxy does not use "getsockname(2)" and "setsockopt(2)".
> 2. There are some issue with "option http-server-close", haproxy crashed
> after a while, whennever set it on frontend or backend.
> 3. Sometimes stalled with "tcp-smart-connect" and "tcp-smart-accept",
> when I removed it, it's work normal. But I am not sure about it.
> 4.The dev22 can compiled on DragonflyBSD, but it's silent stalled.
> Regards
> Simon

Reply via email to