I have an architecture like the one of the picture in attachment,
and I have an issue with PF.
I don't if it's a bug of, maybe I should post to bugs@openbsd.org.
I created a virtual network with VXLAN, it's 192.168.3.0/24.
VTEP1 and VTEP2 are connected to H3 via p2p interfaces:
10.13.11.0/30 and 10.13.12.0/30.
H3 has this route configured for 192.168.3.0/24 to VTEP1:
# route show -inet
192.168.3/24 10.13.11.2
and I have an issue with PF.
I don't if it's a bug of, maybe I should post to bugs@openbsd.org.
I created a virtual network with VXLAN, it's 192.168.3.0/24.
VTEP1 and VTEP2 are connected to H3 via p2p interfaces:
10.13.11.0/30 and 10.13.12.0/30.
H3 has this route configured for 192.168.3.0/24 to VTEP1:
# route show -inet
192.168.3/24 10.13.11.2
(please find attached picture)
1) Echo request from H3 (10.13.11.1) to VM2 (192.168.3.121) is routed to VTEP1.
VTEP1# pfctl -s state
all icmp 192.168.3.121:8 <- 10.13.11.1:17863 0:0
all icmp 10.13.11.1:17863 -> 192.168.3.121:8 0:0
2) The echo request reaches VM2 via vxlan.
3) VM2 sends back the echo reply, via VTEP2, but it receives a port unreachable:
VM2# tcpdump -ni vio0 icmp
10.13.11.1 > 192.168.3.121: icmp: echo request
192.168.3.121 > 10.13.11.1: icmp: echo reply
192.168.3.12 > 192.168.3.121: icmp: 10.13.11.1 proto 1 port 62908 unreachable
PF on VTEP2 doesn't have any state associated to the echo request, so,
the echo reply is not routed to H3.
If I disable PF on VTEP2 (VTEP2# pfctl -d), the echo reply is
successfully routed to H3.
I tried to configure this PF rule on VTEP2, but the result is the same:
pass inet from 192.168.3.0/24 to any no state
Even with this rule, the traffic doesn't flow from H3 to VM2 with PF enabled.
I would like to have PF enabled anywhere, anyway, I don't know if:
1 - PF with the 'no state' rule should let the traffic flow,
it means that PF has a bug, or
2 - PF behaves as expected and traffic must not flow, or
3 - the 'no state' rule is the wrong rule to let the traffic flow.
If so, I ignore what rule should be used in /etc/pf.conf.
Any thought is more than welcome
VTEP1# pfctl -s state
all icmp 192.168.3.121:8 <- 10.13.11.1:17863 0:0
all icmp 10.13.11.1:17863 -> 192.168.3.121:8 0:0
2) The echo request reaches VM2 via vxlan.
3) VM2 sends back the echo reply, via VTEP2, but it receives a port unreachable:
VM2# tcpdump -ni vio0 icmp
10.13.11.1 > 192.168.3.121: icmp: echo request
192.168.3.121 > 10.13.11.1: icmp: echo reply
192.168.3.12 > 192.168.3.121: icmp: 10.13.11.1 proto 1 port 62908 unreachable
PF on VTEP2 doesn't have any state associated to the echo request, so,
the echo reply is not routed to H3.
If I disable PF on VTEP2 (VTEP2# pfctl -d), the echo reply is
successfully routed to H3.
I tried to configure this PF rule on VTEP2, but the result is the same:
pass inet from 192.168.3.0/24 to any no state
Even with this rule, the traffic doesn't flow from H3 to VM2 with PF enabled.
I would like to have PF enabled anywhere, anyway, I don't know if:
1 - PF with the 'no state' rule should let the traffic flow,
it means that PF has a bug, or
2 - PF behaves as expected and traffic must not flow, or
3 - the 'no state' rule is the wrong rule to let the traffic flow.
If so, I ignore what rule should be used in /etc/pf.conf.
Any thought is more than welcome
No comments:
Post a Comment