PF cannot handle gre-keepalive on 5.0

Fri, 17 Feb 2012 14:12:53 -0800 

Hello,

i noticed a problem with activated pf and the gre keepalive on the
openbsd 5.0. With active pf configuration the keepalive packets
generate on the target system only icmp packets with time exceeded
in-transit.

My test scenario consisted of a few virtualized openbsd 5.0 system,
fresh install without any changes. I had two sides, on one side i
activated the gre keepalive:

gre0: flags=9011<UP,POINTOPOINT,LINK0,MULTICAST> mtu 1476
        keepalive: timeout 1 count 3
        groups: gre
        status: active
        physical address inet 192.168.19.1 --> 10.32.1.1
        inet 10.100.0.2 --> 10.100.0.1 netmask 0xffffff00

The status is only active, when pf on the receiving side is disabled.
When pf is enabled the following occurs:

22:31:46.486434 gre 192.168.19.1 > 10.32.1.1: [] gre 10.32.1.1 >
192.168.19.1: [] gre-proto-0x0 (DF) [tos 0x10] (ttl 64, id 63695, len
24) (DF) [tos 0x10] (ttl 62, id 35910, len 48)
22:31:46.487023 10.32.1.1 > 192.168.19.1: icmp: time exceeded
in-transit (ttl 255, id 19331, len 56)

After enabling pf the status of the gre interface becomes keepalive
down. This is the status of the enabled pf:
FILTER RULES:
pass all flags any
block drop in on ! lo0 proto tcp from any to any port 6000:6010
No queue in use

STATES:
all ospf 10.200.0.1 -> 224.0.0.5       SINGLE:NO_TRAFFIC
all gre 172.17.1.1 -> 172.112.1.1       SINGLE:NO_TRAFFIC
all ospf 10.100.0.1 -> 224.0.0.5       SINGLE:NO_TRAFFIC
all gre 10.32.1.1 <- 192.168.19.1       MULTIPLE:MULTIPLE
all gre 192.168.19.1 <- 10.32.1.1       NO_TRAFFIC:SINGLE

INFO:
Status: Enabled for 0 days 00:20:06              Debug: err

If i disable pf again, the keepalive status becomes active and the
following packets are exchanged:
22:33:06.486403 gre 192.168.19.1 > 10.32.1.1: [] gre 10.32.1.1 >
192.168.19.1: [] gre-proto-0x0 (DF) [tos 0x10] (ttl 64, id 8085, len
24) (DF) [tos 0x10] (ttl 62, id 20818, len 48)
22:33:06.486445 gre 10.32.1.1 > 192.168.19.1: [] gre-proto-0x0 (DF)
[tos 0x10] (ttl 63, id 8085, len 24)

All the systems are OpenBSD 5.0 GENERIC#71 i386.

This is my first report, so  i do not know, if this is enough, or how
the best procedure would be, or if this is the right place. If i can
help with something, provide more infos, should try something or so, i
would be glad.

With best regards,
Stephan Ahrensfeld

Reply via email to