PF, dup-to and arp requests

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

PF, dup-to and arp requests

Miłosz Kaniewski
uname -a:
OpenBSD openbsd58.kvm 5.8 GENERIC#1385 amd64
Also tested on OpenBSD 4.5.

Hello,

I have a little problem with pf and 'dup-to' option.
First, ascii diagram of my network:

+----------+        +-----------+        +----------+
|          |     em0|           |em1     |          |
|  host1   +--------+  OpenBSD  +--------+  host2   |
|          |        |           |        |          |
+----------+        +-----------+        +----------+
                          |em2
                          |
                          |
                          v


And there is only one rule in my pf.conf:
pass out on em1 dup-to em2 no state

Let's say I send a ping from host1 to host2. Two things may happen:
1. If OpenBSD has information about host2 IP in arp table then everything
   works well. Original ping packet arrive on host2 and duplicated
   packet is correctly placed on em2 interface.
2. If OpenBSD doesn't have information about host2 IP in arp table then
   arp request needs to be send. But this arp request is only send
   through em2 interface, not through em1 interface. As result there is
   no valid arp response and ping packet doesn't know how to reach
   host2. So both original and duplicated packets are dropped.

In my opinion second behaviour is not proper because dup-to option
shouldn't affect original packet. Arp request should by normally send
through em1 interfaces as it would if 'dup-to' option wouldn't be used.

I don't know if this is a bug or rather consequence of some
implementation design. I will be very grateful for any clarifications or
comments.

Regards,

Miłosz Kaniewski