ipfw antispoof differences between 12 and 13

From: Johannes Totz via freebsd-stable <freebsd-stable_at_freebsd.org>
Date: Tue, 19 Oct 2021 20:20:54 UTC
Hi folks,

are there any known differences for how ipfw's antispoof pattern works 
between 12-stable and 13-stable?

When upgrading to 13-stable, I've noticed that ipfw started rejecting 
packets coming from an epair interface, based on an antispoof rule.

On 12-stable, packets sent via epair (e.g. from inside a jail) do not 
match, ie do not get rejected:

ipfw add deny log ip from any to any not antispoof in

On 13-stable, those packets suddenly match and get rejected.

Are epair interfaces no longer considered "directly connected"?

One odd thing I've noticed (since 12-stable) with ipfw logs is that 
packets from an epair interface are logged as coming via loopback. 
Here's an example (on 13-stable), from /var/security.log:

host kernel: ipfw: 3600 Accept UDP x.x.x.x:58297 x.x.x.x:53 out via lo0
host kernel: ipfw: 500 Deny UDP x.x.x.x:58297 x.x.x.x:53 in via lo0
host kernel: ipfw: 3600 Accept UDP x.x.x.x:19109 x.x.x.x:53 out via lo0
host kernel: ipfw: 500 Deny UDP x.x.x.x:19109 x.x.x.x:53 in via lo0

Rule 3600 is an explicit accept for that epair interface.
Rule 500 is the antispoof rule above. The address x.x.x.x is explicitly 
configured for one half of this epair interface.

There's a paragraph in the ipfw manpage that sounds like this epair vs 
loopback confusing might be the cause of it.

Any thoughts?