i have found the reason for the described behaviour.
it`s the state-policy, see the description below.
> My first guess would be the interfaces. If either $ext_if1 or $ext_if2
> do not exist at ruleset load time (because they're not physical
> interfaces like xl0, but tun0 or such), you should get an error message
> on the console when pfctl is invoked from rc.
$ext_if1 and $ext_if2 are physical interfaces xl1, xl2
>> pass out quick route-to {(extif_2 proxy_ip1),(extif_2 proxy_ip2)} \
> ^^ ^^ ^^ ^^
> Those are typos (missing $), right?
jepp
the reason for the described behaviour is:
the mainruleset contains:
extif_1=xl1
set state-policy if-bound
### outgoing http loadbalancing ###
anchor http_out out on $extif_1 from <clients> to any
load anchor http_out from "/bla/http_out"
the anchorfile "/bla/http_out" contains:
extif_2=xl2
proxy_ip1="10.11.12.10"
proxy_ip2="10.11.12.11"
pass out quick route-to {($extif_2 $proxy_ip1),($extif_2 $proxy_ip2)} \
round-robin sticky-address proto tcp \
from any to any port 80 flags S/SA keep state \
(max 100000, source-track rule, max-src-nodes 2000, \
max-src-states 1000)
at first, all the time i have worked with pf i thought, if i change the
state-policy in the mainruleset
from "floating" to "if-bound" , this also relates to all rules within an
anchor.
it seems to be, that it doesn`t fit for my route-to rule.
if i load the above mainruleset with
pfctl -f pf.conf
the state-policy for all rules within the mainrulesets and anchors is set to
"if-bound" as it should be.
therefore the route-to rule for loadbalancing http-traffic doesn`t work,
because there is no passing-rule
bound to interface $extif_2 (xl4).
but if i load the anchorrules with the command
pfctl -a http_out -f /bla/http_out
the state-policy for all rules within the anchor http_out is also set to
"if-bound" except the route-to rule. the state-policy for this rule
is set to "floating" and loadbalancing for http-traffic works fine, because
there has to be no further rule bound to interface $extif_2 (xl4).
i have added a "floating" behind the "max-src-states 1000" of the route-to rule
and everything still works fine after a reload of the whole
ruleset or reboot.
regards and thx,
tobias
_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
