On Fri, Feb 17, 2012 at 11:11:18PM +0100, Stephan Ahrensfeld wrote: > Hello, > > i noticed a problem with activated pf and the gre keepalive on the > openbsd 5.0. With active pf configuration the keepalive packets > generate on the target system only icmp packets with time exceeded > in-transit. > > My test scenario consisted of a few virtualized openbsd 5.0 system, > fresh install without any changes. I had two sides, on one side i > activated the gre keepalive: > > gre0: flags=9011<UP,POINTOPOINT,LINK0,MULTICAST> mtu 1476 > keepalive: timeout 1 count 3 > groups: gre > status: active > physical address inet 192.168.19.1 --> 10.32.1.1 > inet 10.100.0.2 --> 10.100.0.1 netmask 0xffffff00 > > The status is only active, when pf on the receiving side is disabled. > When pf is enabled the following occurs: > > 22:31:46.486434 gre 192.168.19.1 > 10.32.1.1: [] gre 10.32.1.1 > > 192.168.19.1: [] gre-proto-0x0 (DF) [tos 0x10] (ttl 64, id 63695, len > 24) (DF) [tos 0x10] (ttl 62, id 35910, len 48) > 22:31:46.487023 10.32.1.1 > 192.168.19.1: icmp: time exceeded > in-transit (ttl 255, id 19331, len 56) > > After enabling pf the status of the gre interface becomes keepalive > down. This is the status of the enabled pf: > FILTER RULES: > pass all flags any > block drop in on ! lo0 proto tcp from any to any port 6000:6010 > No queue in use > > STATES: > all ospf 10.200.0.1 -> 224.0.0.5 SINGLE:NO_TRAFFIC > all gre 172.17.1.1 -> 172.112.1.1 SINGLE:NO_TRAFFIC > all ospf 10.100.0.1 -> 224.0.0.5 SINGLE:NO_TRAFFIC > all gre 10.32.1.1 <- 192.168.19.1 MULTIPLE:MULTIPLE > all gre 192.168.19.1 <- 10.32.1.1 NO_TRAFFIC:SINGLE > > INFO: > Status: Enabled for 0 days 00:20:06 Debug: err > > If i disable pf again, the keepalive status becomes active and the > following packets are exchanged: > 22:33:06.486403 gre 192.168.19.1 > 10.32.1.1: [] gre 10.32.1.1 > > 192.168.19.1: [] gre-proto-0x0 (DF) [tos 0x10] (ttl 64, id 8085, len > 24) (DF) [tos 0x10] (ttl 62, id 20818, len 48) > 22:33:06.486445 gre 10.32.1.1 > 192.168.19.1: [] gre-proto-0x0 (DF) > [tos 0x10] (ttl 63, id 8085, len 24) > > All the systems are OpenBSD 5.0 GENERIC#71 i386. > > This is my first report, so i do not know, if this is enough, or how > the best procedure would be, or if this is the right place. If i can > help with something, provide more infos, should try something or so, i > would be glad. >
Try adding this rule (or a similar one with quick) # special rule for gre keepalives pass on gre proto gre no state The problem is that the gre keepalive packet is a bit special and causes state conflicts if you try to use states. -- :wq Claudio
