Re: relayd and "src track"

Fri, 16 May 2008 05:19:05 -0700 

Hi,
actually it is enough to clear the tree of source tracking nodes right after syncing tables, so the sticky-address is stored again. Unfortunately there is one disadvantage, all sources will be flushed, so some connections can be assigned to different hosts. 
But I think it's better then leaving it unattended.
the appropriate diff is below and should work with all versions of relayd and hoststated with a little change referring to vars naming: 

Index: usr.sbin/relayd/pfe_filter.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/pfe_filter.c,v
retrieving revision 1.26
diff -u -r1.26 pfe_filter.c
--- usr.sbin/relayd/pfe_filter.c        7 May 2008 01:49:29 -0000       1.26
+++ usr.sbin/relayd/pfe_filter.c        16 May 2008 13:09:06 -0000
@@ -225,6 +225,10 @@
       if (ioctl(env->sc_pf->dev, DIOCRSETADDRS, &io) == -1)
               fatal("sync_table: cannot set address list");

+       if (rdr->conf.flags & F_STICKY)
+               if (ioctl(env->sc_pf->dev, DIOCCLRSRCNODES, 0) == -1)
+ fatal("sync_table: cannot clear the tree of source tracking nodes"); 
+
       free(addlist);

       log_debug("sync_table: table %s: %d added, %d deleted, %d changed",



best regards
MichaE Koc

Per-Olov SjC6holm pisze:

Hi
Is it possible to handle PF "src track" from relayd. If I use "sticky connections" in relayd (NOT layer 7) and one target host dissappear, then it seems like "src track" comes into play.
When one target host (for example 10.0.0.1 below) goes down I want to clear all src track info from PF related to the target host.
Am I missing something in the man pages? suggestions appreciated. If I remember it right such thing could be done in "ifstated" where a pfctl -"K" could be done... 


TESTfile follows:
[EMAIL PROTECTED]:~#more /etc/relayd.conf
        EXT_IP=200.200.200.200
        interval 5
        timeout 1000
        table <webhosts> { 10.0.0.1 , 10.0.0.2 }

        redirect www {
                listen on $EXT_IP port 80
                listen on $EXT_IP port 443
                tag RELAYD
                sticky-address
                forward to <webhosts> timeout 500 port 22 check icmp
        }




Thanks in advance

Regards
Per-Olov
--
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
GPG key: http://keyserv.nic-se.se:11371/pks/lookup?op=get&search=0xCFB4BBE94DB283CE

Reply via email to