ipfw antispoof differences between 12 and 13
Date: Tue, 19 Oct 2021 20:20:54 UTC
Hi folks, are there any known differences for how ipfw's antispoof pattern works between 12-stable and 13-stable? When upgrading to 13-stable, I've noticed that ipfw started rejecting packets coming from an epair interface, based on an antispoof rule. On 12-stable, packets sent via epair (e.g. from inside a jail) do not match, ie do not get rejected: ipfw add deny log ip from any to any not antispoof in On 13-stable, those packets suddenly match and get rejected. Are epair interfaces no longer considered "directly connected"? One odd thing I've noticed (since 12-stable) with ipfw logs is that packets from an epair interface are logged as coming via loopback. Here's an example (on 13-stable), from /var/security.log: host kernel: ipfw: 3600 Accept UDP x.x.x.x:58297 x.x.x.x:53 out via lo0 host kernel: ipfw: 500 Deny UDP x.x.x.x:58297 x.x.x.x:53 in via lo0 host kernel: ipfw: 3600 Accept UDP x.x.x.x:19109 x.x.x.x:53 out via lo0 host kernel: ipfw: 500 Deny UDP x.x.x.x:19109 x.x.x.x:53 in via lo0 Rule 3600 is an explicit accept for that epair interface. Rule 500 is the antispoof rule above. The address x.x.x.x is explicitly configured for one half of this epair interface. There's a paragraph in the ipfw manpage that sounds like this epair vs loopback confusing might be the cause of it. Any thoughts? thanks!