Good evening all, following up on the previous discussions, I noticed that the network stack changed recently [1] (limited to cases when packet forwarding is enabled).
What's the idea behind it, as it seemed to be unlikely that this default would be changed at all? Thanks, Bastian [1] https://marc.info/?l=openbsd-tech&m=157580561114203 Am 18.10.19 um 08:56 schrieb Claudio Jeker: > On Thu, Oct 17, 2019 at 09:50:28PM +0200, Bastian Kanbach wrote: >> Hello, >> >> recently I was performing some checks that relate to the "Strong Host >> Model" and "Weak Host Model", and I noticed that OpenBSD was behaving >> different than I expected. I always assumed that the network stack of >> OpenBSD was following the "Strong Host Model", but I might be wrong with >> that: > OpenBSD does follow the "Weak Host Model". Has always been like that. > >> Basically the Strong Host Model means that the network stack "accepts >> locally destined packets if the destination IP address in the packet >> matches an IP address assigned to the network interface on which the >> packet was received." >> >> FreeBSD and NetBSD have a sysctl property for this, called >> "net.inet.ip.check_interface", which defaults to 0 (Weak Host Model). >> However for OpenBSD I haven't seen such a property at all. >> >> >> Basically my setup consisted of the following virtual machines and >> network interfaces (IP-Forwarding disabled): >> >> >> VM 1 (OpenBSD 6.5): >> >> em0: 192.168.100.1/24 ("Internal Network") >> >> em1: 10.0.0.97/24 ("NAT") >> >> >> VM 2 (Ubuntu Server 18.10): >> >> ens33: 192.168.100.2/24 ("Internal Network") >> >> >> ---- >> >> >> As expected, ens33 of VM2 can communicate with em0 of VM1, since both >> interfaces are associated with the same Virtualbox network, and both IP >> addresses are part of the same /24 subnet. >> >> ens33 of VM2 can't directly communicate with em1 of VM1, since the IP >> addresses are part of different subnets and no routes were configured. >> >> >> Then I performed 2 tests: >> >> >> Test 1: >> >> Perform an arping from ens33/VM2 (192.168.100.2) to 10.0.0.97 (VM1). The >> packet was NOT answered by VM1. >> > This is a Layer 2 ARP test. Since 10.0.0.97 is not on that interface arp > will not answer. The host model only matters for Layer 3. > >> Test 2: >> >> Set the following route on VM2: ip r add 10.0.0.0/24 via 192.168.100.1. >> Then send an ICMP echo request to 10.0.0.97 (VM1), originating from >> 192.168.100.2 (VM2). VM1 replied with an ICMP echo reply (with a source >> MAC address of interface em0). >> >> >> While the behaviour of Test 1 indicates that the Strong Host Model is >> followed, Test 2 shows the behaviour of a "Weak Host Model". > > No, Test 1 is not the right test for the host model. > >> What of both is actually supposed to be the default for OpenBSD? Is >> there any kernel parameter to control these behaviours, like >> net.inet.ip.check_interface for FreeBSD or NetBSD? > We don't have a button and just follow the "Weak Host Model". > You can enforce a strong model per interface with pf(4): > > block in on !em0 inet to (em0) > > or > > block in > pass in on em0 to (em0) > pass in on em1 to (em1) >
