Thursday, January 31, 2019

Re: Getting traffic from rdomain X to talk to a daemon in default rdomain 0

Jiri B(jirib79@gmail.com) on 2019.01.31 22:23:34 +0100:
> Hello,
>
> I'm trying to isolate an app running on OpenBSD on network level and thus I
> have started
> the app in a specific rdomain.
>
> I can successfully make traffic from the rdomain to reach Internet:
>
> pass out quick on rdomain 1 to any nat-to (egress) rtable 0

that rule is only evaluated when the packes pass through a network
interface.

> But I cannot figure out how to make the app in this rdomain 1 to communicate
> which daemons in default rdomain (0).
>
> With above rule I would see something like this on lo0 (rdomain0):
>
> Jan 31 16:04:22.285915 199.195.x.x.60666 > 199.195.x.x.53: 14874+ NS? .(17)
>
> Tested with route -T 1 exec dig @199.195.x.x www.openbsd.org.
> It seems it does not know how to send back replies ?

yes, because rdomain 0 does not have a route to what network you have in
rdomain 1.

Btw. its hard to talk about this without you giving the actual networks and
IPs used.

> Without 'nat-to (egress)' the replies would be just send via default gw in
> rdomain 0:
>
> mx1# tcpdump -i vio0 -n -e -ttt icmp
> tcpdump: listening on vio0, link-type EN10MB
> Jan 31 16:08:27.053592 00:16:a1:5d:50:b6 00:12:f2:f2:1a:00 0800 98:
> 199.195.x.x > 172.16.1.2: icmp: echo reply
>
> (172.16.1.2 was the IP in rdomain 1)
>
> Any idea what would be PF rule to make this working - ie. make an app in
> rdomain X talk to daemons in rdomain 0.
>
> I also tried to use pair interfaces but I failed too.

Try this:

# set up two connected pair interfaces:
ifconfig pair8 inet 192.168.2.8/24 rdomain 8
ifconfig pair1 inet 192.168.2.1/24 rdomain 0
ifconfig pair1 patch pair8

# they now can ping each other:
ping 192.168.2.8
route -T 8 exec ping 192.168.2.1

# my em0 interface in rdomain 0 has the IP 192.168.1.52:
em0: flags=208847<UP,BROADCAST,DEBUG,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu 1500
lladdr 44:c6:86:5a:c2:f7
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet 192.168.1.52 netmask 0xffffff00 broadcast 192.168.1.255

# add a route to 192.168.1.52 to rdomain 8:
route -T 8 add 192.168.1.52 192.168.2.1
route -T 8 exec ping 192.168.1.52

# the traffic back from rdomain 0 to rdomain 8 works now, because packets
# are send with source ip 192.168.2.8, and rdomain 0 has a route to that IP
# through pair1.

Now run your service on 192.168.1.52.

/Benno

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)