On Wed, 03 Jul 2013 09:24:54 -0500, Loïc Blot
<loic.b...@unix-experience.fr> wrote:
For me pf table is (sorry for the missing precisions) the pf state
stable for stateful operations
First of all, the states of node 1 being synced to node 2 and vice versa
is worthless because they have different IP addresses; the states wont
match anything.
Secondly, you'll probably end up dealing with the nodes fighting each
other as they sync back and forth. If a state from node1 is synced to
node2 and node2 decides to expire that session because it hasn't been used
it will tell node1 to remove that session as well. Now your session that
was working on node1 has stopped functioning. This is probably the
hanging/stalling behavior you were experiencing before. I've never even
attempted to set this up in a lab and I know nothing of the pfsync/pf
code, but I assume this is what is happening to you. I'm actually quite
surprised it will even accept any changes to states for IPs that don't
exist on the server, but I suppose it doesn't seem worthwhile to put such
strict validation on it.
