Hi,
I tested this pathc too, but it will break the pfsync compatibility,
to use it you need to recompile pfctl tool and all applications that
have pfsync_state struct depedences, if using.
It is more simple way to implement the route states sychronization and
it send the correct interface name of the output route-to, but the
adding of more data in pfsync_state will cause to make it incompatible
with other peer without this patch or applications:
--- pfvar.h 2010/01/14 01:04:54 1.290
+++ pfvar.h 2010/01/14 01:08:05
@@ -841,6 +841,7 @@
struct pfsync_state_peer src;
struct pfsync_state_peer dst;
struct pf_addr rt_addr;
+ char rt_ifname[IFNAMSIZ];
u_int32_t rule;
u_int32_t anchor;
u_int32_t nat_rule;
--- if_pfsync.c 2010/01/13 23:06:38 1.127
+++ if_pfsync.c 2010/01/14 01:14:22
@@ -415,6 +415,9 @@
/* copy from state */
strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname));
bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
+ /* if state has route-to option, export rt interface name too*/
+ if(st->rt_kif)
+ strlcpy(sp->rt_ifname, st->rt_kif->pfik_name,
sizeof(sp->rt_ifname));
sp->creation = htonl(time_second - st->creation);
sp->expire = pf_state_expires(st);
if (sp->expire <= time_second)
@@ -562,7 +565,12 @@
st->rule.ptr = r;
st->nat_rule.ptr = NULL;
st->anchor.ptr = NULL;
- st->rt_kif = NULL;
+ /* if the state had mached with ruleset we can bind the
+ interface for route-to, reply-to rules */
+ if(r != &pf_default_rule && r->rpool.cur)
+ st->rt_kif = pfi_kif_get(sp->rt_ifname);
+ else
+ st->rt_kif = NULL;
st->pfsync_time = time_uptime;
st->sync_state = PFSYNC_S_NONE;
@@ -916,7 +924,7 @@
st = pf_find_state_byid(&id_key);
if (st == NULL) {
/* insert the update */
- if (pfsync_state_import(sp, 0))
+ if (pfsync_state_import(sp, pkt->flags))
pfsyncstats.pfsyncs_badstate++;
continue;
}
- Romey
