Date: Sun, 18 May 2008 20:38:20 -0700 From: "Kian Mohageri" <kian.mohageri@gmail.com> To: "freebsd pf" <freebsd-pf@freebsd.org> Subject: Filtering CARP interface(s) and 'set skip on lo0' Message-ID: <fee88ee40805182038t71446la85f2c799e14b9dd@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hey all, I'm trying to clean up my PF rulesets, and I noticed today that a CARP master connecting to itself (on the CARP IP address) appears to be filtered even when 'set skip on lo0' is in effect. At first I suspected that maybe CARP Master to itself is routed differently in FreeBSD (so it wouldn't actually be on lo0), but a tcpdump seems to say otherwise. That is: > ifconfig carp0 carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 inet 67.201.255.210 netmask 0xffffffe0 carp: MASTER vhid 1 advbase 1 advskew 10 > sudo tcpdump -c 3 -n -i lo0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes 20:36:40.522108 IP 67.201.255.210.65404 > 67.201.255.210.53: 2673+ A? daapiak-mtv.flux.com. (38) 20:36:40.522569 IP 67.201.255.210.53 > 67.201.255.210.65404: 2673 4/9/3 CNAME[|domain] 20:36:40.724506 IP 67.201.255.210.65404 > 67.201.255.210.53: 20823+ PTR? 240.189.73.209. I tried the archives but couldn't find an explanation about why 'set skip on lo0' wouldn't apply here, so I'm wondering if any of you could point me in the right direction. The simple answer would be for me to simply filter a little differently so the MASTER can talk to itself, but I figured this could be a learning experience too. Is this intended FreeBSD-specific behavior, and if so, what is the recommended way to deal with it? Thanks for any pointers, Kian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fee88ee40805182038t71446la85f2c799e14b9dd>