Date: Mon, 19 May 2008 07:27:03 -0700 From: "Kian Mohageri" <kian.mohageri@gmail.com> To: "Max Laier" <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Filtering CARP interface(s) and 'set skip on lo0' Message-ID: <fee88ee40805190727m31094392yef21caac20ec97b8@mail.gmail.com> In-Reply-To: <200805191111.18113.max@love2party.net> References: <fee88ee40805182038t71446la85f2c799e14b9dd@mail.gmail.com> <200805191111.18113.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 19, 2008 at 2:11 AM, Max Laier <max@love2party.net> wrote: > On Monday 19 May 2008 05:38:20 Kian Mohageri wrote: >> Hey all, >> >> I'm trying to clean up my PF rulesets, and I noticed today that a CARP >> master connecting to itself (on the CARP IP address) appears to be >> filtered even when 'set skip on lo0' is in effect. >> >> At first I suspected that maybe CARP Master to itself is routed >> differently in FreeBSD (so it wouldn't actually be on lo0), but a >> >> tcpdump seems to say otherwise. That is: >> > ifconfig carp0 >> >> carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 >> inet 67.201.255.210 netmask 0xffffffe0 >> carp: MASTER vhid 1 advbase 1 advskew 10 >> >> > sudo tcpdump -c 3 -n -i lo0 >> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol >> decode listening on lo0, link-type NULL (BSD loopback), capture size 96 >> bytes 20:36:40.522108 IP 67.201.255.210.65404 > 67.201.255.210.53: >> 2673+ A? daapiak-mtv.flux.com. (38) >> 20:36:40.522569 IP 67.201.255.210.53 > 67.201.255.210.65404: 2673 >> 4/9/3 CNAME[|domain] >> 20:36:40.724506 IP 67.201.255.210.65404 > 67.201.255.210.53: 20823+ >> PTR? 240.189.73.209. > > Just because the packets show up on lo0 "sometime" doesn't mean that they > won't pass through other interfaces before or after. CARP is special in > that respect and needs special attention. > Does it pass through the CARP interface or does PF just think so? Tcpdump on carp0 doesn't show anything, and tcpdump on a CARP interface that's in "backup" only shows the advertisements of the master, which is why I am/was confused. -Kian PS: Thank you for updating pf in 7.0!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fee88ee40805190727m31094392yef21caac20ec97b8>