On Sat, Jan 15, 2022 at 08:10:44PM +0100, Markus Wipp wrote: > Hi all, > > This is my first mail to an OpenBSD list, so I hope I chose the correct one. > > I???m trying to get a GRE tunnel in combination with pf working a few days now > on my OpenBSD (OpenBSD 7.0 (GENERIC.MP) #232: Thu Sep 30 14:25:29 MDT 2021) > > If I disable pf with pfctl -d the connection is working and I can ping. > However as soon as I enable pf with pfctl -e the ping stops working (even > with a configuration that > should allow all traffic according my understanding) > > The GRE interface looks like: > > gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476 > index 44 priority 0 llprio 6 > encap: vnetid none txprio payload rxprio packet > groups: gre > tunnel: inet6 2a02:xxxx:yyy:zzz::1 --> 2a00:uuuu:vvvv:wwww::10 ttl 64 > nodf ecn > inet6 fe80::20d:b9ff:fe44:ecdc%gre1051 --> prefixlen 64 scopeid 0x2c > inet6 2a01:qqq:rrrr:ss::2 --> prefixlen 128 > > The simplified pf-Rule looks like: > > pass > pass on gre proto gre no state
Hi Markus, My first impression is that you're confusing where to apply policy to the encapsulated traffic. "pass on gre proto gre" implies you're trying to pass GRE packets as they go over gre(4) interfaces, but it's the unencapsulated packets that go over gre(4), and the GRE encapsulated packets will go over your "underlay" or physical interfaces, which looks like em0 according to tcpdump. You can see that from the tcpdump output below. When you tcpdump on gre0 you only see icmp6 packets. That's the same as what pf sees. When you tcpdump on em0 you see the GRE packets, which again, is what pf will see. Note that pf will only look at the first protocol inside an IP packet (ie, TCP, UDP, GRE, etc), it won't let you filter inside GRE packets. Your pass rule should let everything work though. Those two rules are your entire ruleset? Something like this might work better: # pass the GRE encapsulated traffic pass inet6 proto gre # let ping6 over gre(4) work pass on gre inet6 proto icmp6 The bare "pass" rule not letting this work makes me feel like there's more to this though. Hope this helps, dlg > > tcpdump shows the following: > > doas tcpdump -nvei gre0 ip6 and icmp6 or proto gre > tcpdump: listening on gre0, link-type LOOP > 19:29:15.124113 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo > request (id:9e45 seq:18) [icmp6 cksum ok] (len 64, hlim 64) > 19:29:16.124438 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo > request (id:9e45 seq:19) [icmp6 cksum ok] (len 64, hlim 64) > 19:29:17.1248112a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request > (id:9e45 seq:20) [icmp6 cksum ok] (len 64, hlim 64) > > and > > doas tcpdump -nvei em0 ip6 and icmp6 or proto gre > tcpdump: listening on em0, link-type EN10MB > 19:51:06.126497 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: > 2a02:xxxx:yyy:zzz::1 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd > 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:9e45 > seq:1329) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) > 19:51:07.126815 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: > 2a02:xxxx:yyy:zzz::11 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd > 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:9e45 > seq:1330) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) > 19:51:08.127252 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: > 2a02:xxxx:yyy:zzz::1 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd > 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:9e45 > seq:1331) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) > > > And > > doas tcpdump -nvei pflog0 > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > 19:55:03.962579 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: > 2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) gre > [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) > 19:55:04.964864 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: > 2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) gre > [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) > 19:55:05.963947 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: > 2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) gre > [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) > > > Thanks in advance for any hints on how to solve this issue > > Best regards > Markus >
