My experiences with Macs are limited, but I do have experience with pf on OpenBSD.

It is interresting how they use the anchor, normally you’d just use an include.

Anchors are usually used to dynamically add/remove rules from for example a userspace program. The name of the anchor would for example be the name of the program, relayd is an example of such a program: http://www.openbsd.org/cgi-bin/man.cgi?query=relayd&sektion=8&arch=&apropos=0&manpath=OpenBSD+Current

I wouldn’t be surprised if on the Mac they are actually dynamically adding rules as well.

You can probably see that if you use these commands when pf is enabled:

pfctl -vvsr # to see the current rules
pfctl -vvss # to see the current state entries

Exciting stuff. And looking forward to the more complicated stuff

Also, I think it’s time to setup an OpenStack lab.

Let’s say the guest has a port called vnet0 which connected to an OVS bridge br-int. And a GRE-tunnel is created called gre0 and it is also connected to br-int.

As you know a switch and a bridge is pretty much the same thing.

The OVS/bridge uses MAC-learning like a normal swich.

When traffic comes onto the bridge from the guest through vnet0, the bridge will look at the forwarding table and might decide that the MAC-address of the destination is on gre0. In that case the traffic is forwarded to gre0.

At gre0 it gets encapsulated with a GRE-header. The GRE-tunnel is handled by the host.

The host just routes the GRE-tunnel packets to the remote_ip, where it gets unpacked and delivered on an other bridge which will hopefully know what to do with it and deliver it at the right port, which is probably connected to a VM.

Lennie, more “complicated” configurations are on the way. First, though, I need to establish the correct base understanding upon which I can build more in-depth configurations that leverage things like VLANs, network namespaces, source routing, and similar. Patience, my friend…patience.

But for the people that found this to easy, maybe you can add some network-namespaces, VM to VM routing, iptables, firewalling, NAT and VLAN as well. Mix it up a little.

Or just try these things and see if you come across any strange things you might not have expected and make a quiz out of it. So the commenters can try and figure out what is going on.

What is on my todo list is to see what is possible in OpenStack, which configurations are supported. And making a choice which one I want to use.

What I’m hoping to do is use some of the DOVE extensions of VXLAN to prevent broadcasts, the extensions are available in Linux 3.8, like on Ubuntu 13.04, but I don’t know if there are any existing open source components that can use them. I doubt I’ll have time to write any code for that myself.

Haven’t looked at the security groups support in OpenStack either.

So much still left to do, so little time, but at least it’s fun stuff.

Or is it hitting tep0 because that belongs to another OVS instance?

However, keep in mind that this additional flexibility also means additional complexity, and that might deter the use of pf for more “casual” OS X users.

I hope this helps!

http://blog.scottlowe.org/2013/05/15/examining-open-vswitch-traffic-patterns/

Thanks!