Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfctl Anchor based approach possible?

    Scheduled Pinned Locked Moved
    Development
    firewall
    2
    3
    268
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Flole
      last edited by

      Hello everyone,

      I'm having some issues due to filter reloads causing temporary packet loss on routed UDP. That made me think about a different approach in how pfsense handles rules that might be able to solve/reduce this:

      Would it be possible to use anchors for IPv4/IPv6 so reloading the entire filter is not necessary, if an IPv6 Gateway goes down, IPv4 will not be affected by that. Of course this doesn't solve this entirely but it should make things better. Maybe it would be possible to go even further and use per-interface anchors to make the amounts of rules that need reloading even smaller.

      What do you guys think? Would this work? Would this be a valid approach? Would this help and would this be wanted?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Maybe you should describe your problem in more detail. UDP packet loss on filter reloads is not really a thing.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • F
          Flole
          last edited by

          When I run an iperf UDP Test that involves pfsense as router and a filter reload is done there is packet loss while the filter is reloading. This is especially annoying if an IPv6 Gateway goes down, the filter is reloaded and this affects the IPv4 Link aswell. If pfsense could selectively reload ipv6 only if an IPv6 Gateway goes down that would make things a lot easier.

          This was not meant to be a "problem post" but rather a "couldn't we improve by splitting ipv4 and ipv6 rules in 2 anchors" though. My first idea was something that could be done in iptables but not pf: Have a list of rules we want and one with rules we have and issue the commands to make them match. The closest we could get to that is probably splitting up, comparing when we want to reload and only reload if last != current.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post