Feature #14633
open
Cleanup states on dynamic routing changes
Added by Christopher de Haas 10 months ago.
Updated 4 months ago.
Description
Currently, with FRR, dynamic routing changes does not cleanup old firewall states causing traffic to flow incorrectly after new routes have converged. For a dynamic routing protocol to work with a firewall, the states have to be purged when the route changes.
See: https://redmine.pfsense.org/issues/14630
- Project changed from pfSense Plus to pfSense Packages
- Category changed from Routing to FRR
- Release Notes deleted (
Default)
This is specific to FRR, so I moved it to the FRR package.
Base system routing changes of this nature are already covered by the open feature request at #855
The scripting hook described at https://docs.frrouting.org/en/latest/scripting.html seems promising. If nothing else it would be fairly easy to add support in FRR to set a path to a script and let the user supply their own LUA script to determine what happens as a half-measure.
Naturally, having our own script to check for routes and kill states on certain routing changes would be a more complete solution.
At the moment the FreeBSD port does not appear to build FRR with --enable-scripting and there is no option to enable it in the port, so that would need to be addressed first.
Any update on this? Without cleanup up states on route changes, routing based redundancy is impossible to implement. I would argue any kind of dynamic routing is impossible when also running a stateful firewall without this feature.
- Status changed from New to Feedback
I believe #15173 may help here since states would no longer match on the old interface after a routing change. It should be possible to apply that patch to 23.09.1 to test.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by