Filtering CARP interface(s) and 'set skip on lo0'
Kian Mohageri
kian.mohageri at gmail.com
Mon May 19 14:27:10 UTC 2008
On Mon, May 19, 2008 at 2:11 AM, Max Laier <max at love2party.net> wrote:
> On Monday 19 May 2008 05:38:20 Kian Mohageri wrote:
>> Hey all,
>>
>> I'm trying to clean up my PF rulesets, and I noticed today that a CARP
>> master connecting to itself (on the CARP IP address) appears to be
>> filtered even when 'set skip on lo0' is in effect.
>>
>> At first I suspected that maybe CARP Master to itself is routed
>> differently in FreeBSD (so it wouldn't actually be on lo0), but a
>>
>> tcpdump seems to say otherwise. That is:
>> > ifconfig carp0
>>
>> carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
>> inet 67.201.255.210 netmask 0xffffffe0
>> carp: MASTER vhid 1 advbase 1 advskew 10
>>
>> > sudo tcpdump -c 3 -n -i lo0
>>
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode listening on lo0, link-type NULL (BSD loopback), capture size 96
>> bytes 20:36:40.522108 IP 67.201.255.210.65404 > 67.201.255.210.53:
>> 2673+ A? daapiak-mtv.flux.com. (38)
>> 20:36:40.522569 IP 67.201.255.210.53 > 67.201.255.210.65404: 2673
>> 4/9/3 CNAME[|domain]
>> 20:36:40.724506 IP 67.201.255.210.65404 > 67.201.255.210.53: 20823+
>> PTR? 240.189.73.209.
>
> Just because the packets show up on lo0 "sometime" doesn't mean that they
> won't pass through other interfaces before or after. CARP is special in
> that respect and needs special attention.
>
Does it pass through the CARP interface or does PF just think so?
Tcpdump on carp0 doesn't show anything, and tcpdump on a CARP
interface that's in "backup" only shows the advertisements of the
master, which is why I am/was confused.
-Kian
PS: Thank you for updating pf in 7.0!
More information about the freebsd-pf
mailing list