> Everything above mentioned works perfectly, the issue starts when we > have to delete one IP from the load balance table. For example, if > 10.0.0.2 server is down, I need to take it out of the balancing table: > > pfctl -t lb -T del 10.0.0.2 > > In this case, technically load balancing will be kept only among the IPs > 10.0.0.1 and 10.0.0.3, which are the only ones that still exists in the > <lb> table. But the problem is, even when the just deleted 10.0.0.2 > server is not on <lb> anymore, clients requests/states which were in > "Source" before and that pointed 10.0.0.2, will still there, and > therefore redirections to 10.0.0.2 will continue to happen until > src.track expires (30 minutes in the mentioned situation), or when I do > "pfctl -F Source". But if I do the second approach, I will flush all my > references and sessions for this and all other source-tracks data in my > firewall.
from pfctl(8): A network prefix length of 0 can be used as a wildcard. To kill all states with the target ``host2'': # pfctl -k 0.0.0.0/0 -k host2 so why don't you kill all states to dead pool member right after removing it from the <lb> table?