From snar@pf2.eltel.net  Mon Aug 22 10:03:37 2005
Return-Path: <snar@pf2.eltel.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8017F16A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 Aug 2005 10:03:37 +0000 (GMT)
	(envelope-from snar@pf2.eltel.net)
Received: from pf2.eltel.net (pf2.eltel.net [81.222.255.3])
	by mx1.FreeBSD.org (Postfix) with ESMTP id ADD7243D45
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 Aug 2005 10:03:36 +0000 (GMT)
	(envelope-from snar@pf2.eltel.net)
Received: from pf2.eltel.net (localhost [127.0.0.1])
	by pf2.eltel.net (8.13.3/8.13.1) with ESMTP id j7MA3Y2A026277
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 Aug 2005 14:03:34 +0400 (MSD)
	(envelope-from snar@pf2.eltel.net)
Received: (from root@localhost)
	by pf2.eltel.net (8.13.3/8.13.1/Submit) id j7MA3X5D026276;
	Mon, 22 Aug 2005 14:03:33 +0400 (MSD)
	(envelope-from snar)
Message-Id: <200508221003.j7MA3X5D026276@pf2.eltel.net>
Date: Mon, 22 Aug 2005 14:03:33 +0400 (MSD)
From: Alexandre Snarskii <snar@eltel.net>
Reply-To: Alexandre Snarskii <snar@eltel.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: pfsync man page corrections
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         85209
>Category:       docs
>Synopsis:       pfsync(4) man page corrections
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 22 10:10:16 GMT 2005
>Closed-Date:    Thu Aug 10 10:15:38 GMT 2006
>Last-Modified:  Thu Aug 10 10:15:38 GMT 2006
>Originator:     Alexandre Snarskii
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
Eltel JSC
>Environment:

System: FreeBSD pf2.eltel.net 5.4-STABLE FreeBSD 5.4-STABLE #0: Sat Aug 20 14:59:12 MSD 2005 root@pf2.eltel.net:/usr/obj/usr/src/sys/PF i386


>Description:
	
manual page for pfsync clearly states that: 
     State change messages are sent out on the synchronisation interface using
     IP multicast packets.  The protocol is IP protocol 240, PFSYNC, and the
     multicast group used is 224.0.0.240.
but, for ip multicast to work - interface need to be configured with 
ip address. (I spent over one hour to recognise, why it does not works
without ip address). 
Another place in pfsync man that should be upgraded is the next one: 
     pf(4) must also be configured to allow pfsync and carp(4) traffic
     through.  The following should be added to the top of /etc/pf.conf:

           pass quick on { sis2 } proto pfsync
           pass on { sis0 sis1 } proto carp keep state

That's ok, but if the user then uncomments next example in /etc/pf.conf
block in log all 
- carp packets will be blocked by firewall.. And, as they will be 
blocked, both firewalls will become master and this usually leads to 
NAT'ed sessions drop... 
So, i propose to rewrite next line in example
           pass on { sis0 sis1 } proto carp keep state
as 
           pass quick on { sis0 sis1 } proto carp keep state



>How-To-Repeat:
>Fix:

Proposed changes is: after the phrase "The protocol is IP protocol 240, 
PFSYNC, and the multicast group used is 224.0.0.240." add note: 
"Note: for IP Multicast to work, syncronisation interface must be configured 
with IP address".
Another change is to rewrite: 
           pass on { sis0 sis1 } proto carp keep state
as 
           pass quick on { sis0 sis1 } proto carp keep state

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Tue Jun 6 12:29:59 UTC 2006 
State-Changed-Why:  
Manual page updated in HEAD. 


Responsible-Changed-From-To: freebsd-doc->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Tue Jun 6 12:29:59 UTC 2006 
Responsible-Changed-Why:  
my. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=85209 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Thu Aug 10 10:12:04 UTC 2006 
State-Changed-Why:  
Merged to RELENG_6. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=85209 
>Unformatted:
