pfsync'ing route-to, reply-to rules states OpenBSD v4.6 -stable

Wed, 13 Jan 2010 17:52:57 -0800 

Hi all,

I'm working on a patch to make the rules route-to and reply-to to be
synced between two firewalls in HA schema, pfsync breaks the route-to
state when the state is imported.

This patch will break the pfsync protocol, because the addition of
char rt_ifname[IFNAMSIZ] in pfsync_state struct, for this reason other
utilities that depends of pfvar.h must be recompiled, one of this
application is pfctl that depends of pfsync_state_export to show the
currents states:


--- pfvar.h     2010/01/14 01:04:54     1.290
+++ pfvar.h     2010/01/14 01:08:05
@@ -841,6 +841,7 @@
        struct pfsync_state_peer src;
        struct pfsync_state_peer dst;
        struct pf_addr   rt_addr;
+       char             rt_ifname[IFNAMSIZ];
        u_int32_t        rule;
        u_int32_t        anchor;
        u_int32_t        nat_rule;


--- if_pfsync.c 2010/01/13 23:06:38     1.127
+++ if_pfsync.c 2010/01/14 01:14:22
@@ -415,6 +415,9 @@
        /* copy from state */
        strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname));
        bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
+       /* if state has route-to option, export rt interface name too*/
+       if(st->rt_kif)
+               strlcpy(sp->rt_ifname, st->rt_kif->pfik_name,
sizeof(sp->rt_ifname));
        sp->creation = htonl(time_second - st->creation);
        sp->expire = pf_state_expires(st);
        if (sp->expire <= time_second)
@@ -562,7 +565,12 @@
        st->rule.ptr = r;
        st->nat_rule.ptr = NULL;
        st->anchor.ptr = NULL;
-       st->rt_kif = NULL;
+       /* if the state had mached with ruleset we can bind the
+       interface for route-to, reply-to rules */
+       if(r != &pf_default_rule && r->rpool.cur)
+               st->rt_kif = pfi_kif_get(sp->rt_ifname);
+       else
+               st->rt_kif = NULL;

        st->pfsync_time = time_uptime;
        st->sync_state = PFSYNC_S_NONE;
@@ -916,7 +924,7 @@
                st = pf_find_state_byid(&id_key);
                if (st == NULL) {
                        /* insert the update */
-                       if (pfsync_state_import(sp, 0))
+                       if (pfsync_state_import(sp, pkt->flags))
                                pfsyncstats.pfsyncs_badstate++;
                        continue;
                }


I found that adding rt_ifname data to pfsync_state is the easiest way
to complete the route-to states synchronization.

I tested this patch and it seems to work well, the states are keeped
on a failover or failback. I will test this (with the required
changes) on the -current cvs version.

- Romey

Reply via email to