Filtering CARP interface(s) and 'set skip on lo0'
Kian Mohageri
kian.mohageri at gmail.com
Mon May 19 03:38:21 UTC 2008
Hey all,
I'm trying to clean up my PF rulesets, and I noticed today that a CARP
master connecting to itself (on the CARP IP address) appears to be
filtered even when 'set skip on lo0' is in effect.
At first I suspected that maybe CARP Master to itself is routed
differently in FreeBSD (so it wouldn't actually be on lo0), but a
tcpdump seems to say otherwise. That is:
> ifconfig carp0
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 67.201.255.210 netmask 0xffffffe0
carp: MASTER vhid 1 advbase 1 advskew 10
> sudo tcpdump -c 3 -n -i lo0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
20:36:40.522108 IP 67.201.255.210.65404 > 67.201.255.210.53: 2673+ A?
daapiak-mtv.flux.com. (38)
20:36:40.522569 IP 67.201.255.210.53 > 67.201.255.210.65404: 2673
4/9/3 CNAME[|domain]
20:36:40.724506 IP 67.201.255.210.65404 > 67.201.255.210.53: 20823+
PTR? 240.189.73.209.
I tried the archives but couldn't find an explanation about why 'set
skip on lo0' wouldn't apply here, so I'm wondering if any of you could
point me in the right direction. The simple answer would be for me to
simply filter a little differently so the MASTER can talk to itself,
but I figured this could be a learning experience too.
Is this intended FreeBSD-specific behavior, and if so, what is the
recommended way to deal with it?
Thanks for any pointers,
Kian
More information about the freebsd-pf
mailing list