Date: Sun, 8 Nov 2015 01:03:15 +0100 From: Kristof Provost <kp@FreeBSD.org> To: =?utf-8?Q?Mi=C5=82osz?= Kaniewski <milosz.kaniewski@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Creating span interface using 'dup-to' option Message-ID: <20151108000315.GC2336@vega.codepro.be> In-Reply-To: <CAC4mxp77FrDvT%2B1J%2BdQqrgc_ji3vmbMZOkYnXae%2BD2L1PanK1g@mail.gmail.com> References: <CAC4mxp5ar-Kvp5238VRfKEL6FiVOg7XXzmv8fE-zdEFYRk7cAw@mail.gmail.com> <SN1PR08MB18210835207E194932EBB485BA310@SN1PR08MB1821.namprd08.prod.outlook.com> <CAC4mxp77FrDvT%2B1J%2BdQqrgc_ji3vmbMZOkYnXae%2BD2L1PanK1g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2015-11-07 21:36:28 (+0100), MiĆosz Kaniewski <milosz.kaniewski@gmail.com> wrote: > 2015-10-12 16:28 GMT+02:00 David DeSimone <ddesimone@verio.net>: > But unfortunately I still have a problem with 'dup-to' option. I hope you > don't > mind if I will describe it here, as it is still connected with network > scheme I > used in my first post. > > As I explained 'dup-to' option is useful only when it is used with next-hop > parameter. So in my configuration from first post I made these changes: > > pass out on em0 dup-to (em2 10.0.0.1) no state > pass out on em1 dup-to (em2 10.0.0.1) no state > > IP address 10.0.0.1 is accessible through em2 interface. And with that > configuration everything works fine and duplicated packets are send through > em2 > interface without any problems. But I tried to make a little change and used > one stateful rule: > > pass out on em1 dup-to (em2 10.0.0.1) > > And with that configuration something strange is happening. Packets are > still > duplicated and correctly sent through em2 interface but there are too much > of > them. It looks like some of the packets are duplicated to many times. Lets > say > I send ICMP ping that goes through em1. On em2 i should see two packets: > ICMP > request and ICMP reply. But I see two identical ICMP requests and one ICMP > reply. So there are 3 packets instead of two. Yeah, I see the same thing in my test setup. I'll try to investigate it soon. > I don't want to fill bug report yet. First I would like to hear your opinion > about this behaviour. And it would be great if someone would check similar > situation and confirm that this problem really exists. > It certainly looks wrong. I can also reproduce your observation that this doesn't happen when 'no state' is added to the rule. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151108000315.GC2336>