Hi All,
Well, after sleeping for a few hours I was able to see the problem, sort
of. The issue here was that it seems that there has to be a route
present to the destination, it can be a default or a more specific
route. Once a route is present, pf will see that there is a route, and
only then will it honor the reply-to filter option.
To get that to work however, an interface that is a reply-to target must
be processed by pf, and in my case, both interfaces which I have used as
targets for default routes (vio0 and vio1) were skipped by pf (set skip
on vio*).
To figure this out it was really helpful to enable 'set debug debug' in
pf.conf.
So now there are two clear requirements in order for reply-to filter
option to work:
1) A route, any route to the destination address must be present in
the routing table.
2) The interface that is the target of the default route installed
must be processed by pf (it cannot be skipped), this is not
necessarily the interface where reply-to will send the response
packet to.
Given the above requirements, what would be a recommended way to setup a
NULL route (in order to redistribute it into OSPF for example)? Should a
new loopback be created with an unused address and a default route set
to point to the new loopback? The only reason that I can see for doing
so is because it is generally unadvisable to filter on loopback
interfaces. From pf.conf manpage on 'set skip on <ifspec>':
<snip>
This can be useful on loopback and other virtual interfaces, when
packet filtering is not desired and can have unexpected effects.
</snip>
In general, is there a document that describes a little bit more
in-depth the interaction of PF and the networking stack, or an in-depth
description of the network stack in general? I have looked through these
excellent publications by Henning Brauer, Mike Belopuhov, David Gwynne,
and Claudio Jeker.
http://www.openbsd.org/papers/openkyiv08-mikeb.pdf
http://quigon.bsws.de/papers/2009/eurobsdcon-faster_packets/
http://quigon.bsws.de/papers/2010/eurobsdcon/
http://www.openbsd.org/papers/lca2011-dlg.pdf
http://quigon.bsws.de/papers/2013/vbsdcon/
http://www.openbsd.org/papers/asiabsdcon08-network.pdf
But it would be really helpful to know if there is something more.
Again, I could of missed something online, so any pointers are really
appreciate it.
On a final note, should pf.conf manpage be updated to describe this
setup a little more? I would be willing to write a draft, but without
proper knowledge of the network stack I do not want to provide any wrong
information (one day I will be able to read through the code! :)).
Once again, thank you Devs for the awesome OS!
Cheers,
--peter
