Bastian Did you perform this same test in FreeBSD/NetBSD? What were your results?
Seems to me that the results you got in test 2 are entirely consistent with normal behaviour - you are routing packets to the 10.0.0.0/24 network via 192.168.100.1, so it will return a ping from 10.0.0.97 - the other interface on VM1 - as the packet was passed from em0 to em1, from which the reply was initiated. Of course, I could be wrong. if you haven't already done so, try the same tests in (Free|Net)BSD with net.inet.ip.check_interface set to 1 and see what you get. On Fri, Oct 18, 2019 at 6:53 AM Bastian Kanbach <[email protected]> wrote: > > Hello, > > recently I was performing some checks that relate to the "Strong Host > Model" and "Weak Host Model", and I noticed that OpenBSD was behaving > different than I expected. I always assumed that the network stack of > OpenBSD was following the "Strong Host Model", but I might be wrong with > that: > > Basically the Strong Host Model means that the network stack "accepts > locally destined packets if the destination IP address in the packet > matches an IP address assigned to the network interface on which the > packet was received." > > FreeBSD and NetBSD have a sysctl property for this, called > "net.inet.ip.check_interface", which defaults to 0 (Weak Host Model). > However for OpenBSD I haven't seen such a property at all. > > > Basically my setup consisted of the following virtual machines and > network interfaces (IP-Forwarding disabled): > > > VM 1 (OpenBSD 6.5): > > em0: 192.168.100.1/24 ("Internal Network") > > em1: 10.0.0.97/24 ("NAT") > > > VM 2 (Ubuntu Server 18.10): > > ens33: 192.168.100.2/24 ("Internal Network") > > > ---- > > > As expected, ens33 of VM2 can communicate with em0 of VM1, since both > interfaces are associated with the same Virtualbox network, and both IP > addresses are part of the same /24 subnet. > > ens33 of VM2 can't directly communicate with em1 of VM1, since the IP > addresses are part of different subnets and no routes were configured. > > > Then I performed 2 tests: > > > Test 1: > > Perform an arping from ens33/VM2 (192.168.100.2) to 10.0.0.97 (VM1). The > packet was NOT answered by VM1. > > > Test 2: > > Set the following route on VM2: ip r add 10.0.0.0/24 via 192.168.100.1. > Then send an ICMP echo request to 10.0.0.97 (VM1), originating from > 192.168.100.2 (VM2). VM1 replied with an ICMP echo reply (with a source > MAC address of interface em0). > > > While the behaviour of Test 1 indicates that the Strong Host Model is > followed, Test 2 shows the behaviour of a "Weak Host Model". > > > What of both is actually supposed to be the default for OpenBSD? Is > there any kernel parameter to control these behaviours, like > net.inet.ip.check_interface for FreeBSD or NetBSD? > > > Thanks, > > Bastian > > > > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
