Hi,
After 6.9 packets passed by "route-to" started to be evaluated when
output. As the result, states are created for output direction,
because it is not considered about "direct server return", has some
problems (eg. the state is deleted because the state tracking is
failed.)
relayd(8) creates the input rule automatically. In the same way, a
rule for output should be created.
example output of "pfctl -sr"
pass in quick on rdomain 0 inet proto tcp from any to 192.168.2.212 port =
8080 flags any keep state (sloppy, tcp.established 600) route-to <LBBYPASS>@en2
source-hash 0x11121314212223243132333441424344
+ pass out quick on rdomain 0 inet proto tcp from any to 192.168.2.212 port =
8080 flags any keep state (sloppy, tcp.established 600)
ok?
Index: usr.sbin/relayd/pfe_filter.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/pfe_filter.c,v
retrieving revision 1.63
diff -u -p -r1.63 pfe_filter.c
--- usr.sbin/relayd/pfe_filter.c 30 Jun 2023 12:16:00 -0000 1.63
+++ usr.sbin/relayd/pfe_filter.c 13 Sep 2023 04:58:36 -0000
@@ -486,6 +486,20 @@ sync_ruleset(struct relayd *env, struct
if (ioctl(env->sc_pf->dev, DIOCADDRULE, &rio) == -1)
fatal("cannot add rule");
log_debug("%s: rule added to anchor \"%s\"", __func__, anchor);
+
+ /*
+ * Create "pass out" rule for "route to" which is needed to
+ * make the states sloppy, short timeout and so on.
+ */
+ if (t->conf.fwdmode == FWD_ROUTE) {
+ rio.rule.direction = PF_OUT;
+ rio.rule.rt &= ~PF_ROUTETO;
+ rio.rule.route.addr.type = PF_ADDR_NONE;
+ if (ioctl(env->sc_pf->dev, DIOCADDRULE, &rio) == -1)
+ fatal("cannot add rule");
+ log_debug("%s: rule added to anchor \"%s\"", __func__,
+ anchor);
+ }
}
if (transaction_commit(env) == -1)
log_warn("%s: add rules transaction failed", __func__);
