pf rdr traffic to a jail not visible on the actual interface.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 18 Jan 2025 18:18:09 UTC
I have a jail that is just given 127.0.2.1 on the loopback interface. I've got a pf.conf rule on FreeBSD 14.1-RELEASE:
rdr pass log on $ext_if proto { udp, tcp } from any to 12.34.45.123 port 3478 -> 127.0.2.1
delivering any traffic on port 3478 nicely to a jail which has only been given (just) that 127.0.2.1 IP address.
E.g. a simple:
echo Hello World | nc 12.34.45.123 3478
from afar to a
ncx -l -b 127.0.2.1 -v 3478
on the jail confirms that this all works exactly as expected:
20250118:1911402.871 127.0.2.1:3478 12.34.45.123:37391 - Hello World\n
And this works specifically also when I bind() to 127.0.2.1 instead of 0.0.0.0.
An 'lsof' confirms that the listener is listening on 127.0.2.1
ncx 479 root 3u IPv4 0xfffff8001e3eb000 0 TCP 127.0.2.1:3478->*:* (LISTEN)
However - if do 'tcpdump -i lo0' on the loopback interface; I do NOT see this traffic.
A tcpdump without an '-i'; i.e. on vnet0/the main interface -- shows the traffic.
18:16:38.899085 IP SENDERIP.62644 > 12.34.45.123.3478: Flags [S], seq 3693554569, win 65535, etc.
I would have expected it on lo0, and lo0 alone (and am hunting down an ICE/TURN edge case). Why is this not the case ?
With kind regards,
Dw.
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
ether 00:16:3c:df:07:92
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.2.1 netmask 0xffffffff
groups: lo
pflog0: flags=1000041<UP,RUNNING,LOWER_UP> metric 0 mtu 33152
options=0
groups: pflog