Feature #14633
open
Cleanup states on dynamic routing changes
0%
Description
Currently, with FRR, dynamic routing changes does not cleanup old firewall states causing traffic to flow incorrectly after new routes have converged. For a dynamic routing protocol to work with a firewall, the states have to be purged when the route changes.
Updated by Jim Pingle 9 months ago
- Project changed from pfSense Plus to pfSense Packages
- Category changed from Routing to FRR
- Release Notes deleted (
Default)
This is specific to FRR, so I moved it to the FRR package.
Base system routing changes of this nature are already covered by the open feature request at #855
Updated by Jim Pingle 9 months ago
The scripting hook described at https://docs.frrouting.org/en/latest/scripting.html seems promising. If nothing else it would be fairly easy to add support in FRR to set a path to a script and let the user supply their own LUA script to determine what happens as a half-measure.
Naturally, having our own script to check for routes and kill states on certain routing changes would be a more complete solution.
At the moment the FreeBSD port does not appear to build FRR with --enable-scripting and there is no option to enable it in the port, so that would need to be addressed first.
Updated by Christopher de Haas 6 months ago
Any update on this? Without cleanup up states on route changes, routing based redundancy is impossible to implement. I would argue any kind of dynamic routing is impossible when also running a stateful firewall without this feature.
Updated by
Updated by Henniee Walterson 3 months ago
Jim Pingle wrote in #note-2:
At the moment the FreeBSD port does not appear to build FRR with
--enable-scriptingand there is no option to enable it in the port, so that would need to be addressed first.
I opened the request here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276534
Like this Lua things..