Hello,
On Wed, 3 Jun 2020 23:30:56 +0200
Alexandr Nedvedicky <alexandr.nedvedi...@oracle.com> wrote:
> I'm OK with your change.
Thank you for your review and comment.
> However I would like to ask you to do yet another test. I wonder if things
> will eventually work on unfixed PF if rules will be constructed as follows:
>
> pfctl -a test -t LB -T add 10.0.0.11@pair102
>
> echo 'pass in on rdomain 102 quick proto tcp to 10.0.0.101 port 8080 \
> keep state ( sloppy ) route-to <LB> \
> least-states sticky-address' |pfctl -a test -f -
>
> echo 'anchor test' | pfctl -f -
>
> pfctl -e
>
> I suspect the bug you've found and fixed happens when pfctl loads rules
> from pf.conf. I think the steps above will take a different route
> through the code, which avoids pfr_ina_define() (a.k.a. transactions).
I've tested it before the diff and after. Both tests were OK.
# pfctl -sr -a test
pass in quick on rdomain 102 inet proto tcp from any to 10.0.0.101 port =
8080 flags S/SA keep state (sloppy) route-to <LB> least-states sticky-address
# pfctl -a test -tLB -Tshow
10.0.0.11@pair102
#
$ doas route -T 101 exec telnet 10.0.0.101 8080
Trying 10.0.0.101...
Connected to 10.0.0.101.
Escape character is '^]'.
^]
telnet> close
Connection closed.
$
> I don't have a test system readily available and I'm just curious
> if anything changes or not. Thanks for finding that for me.
>
> As I've said I think your change should go in.
>
> OK sashan
Thanks,
