[Bug 233581] Bugg in PF or in PF man-page?
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Nov 27 21:30:48 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233581
Bug ID: 233581
Summary: Bugg in PF or in PF man-page?
Product: Base System
Version: 11.2-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: peo_s at incedo.org
Bugg in PF or in PF man-page? I vote for bug in PF itself…
Man page says that “set skip on lo0” should ignore all traffic over lo0. This
is not true. It just ignores 127* traffic.
Let us assume the FreeBSD 11.2 host has IP 1.2.3.4. I created a jail and
installed DNS/bind in it. The jail uses share IP with host (i.e no vnet
recompiled kernel)… As there is no 127.0.0.1 I had to reconfigure rndc to
listen and use 1.2.3.4 instead of 127.0.0.1 in the jail. I then noted that rndc
did not work.
In the FreeBSD main host pf.conf I had to explicit add a pass rule to allow
1.2.3.4 to 1.2.3.4 on lo0. Using tcpdump listening on lo0 I could also see the
rndc traffic from 1.2.3.4 to 1.2.3.4 was going over lo0.
So “set skip lo0” does not work as man page says which is…
—snip—
set skip on <ifspec>
List interfaces for which packets should not be filtered. Packets
passing in or out on such interfaces are passed as if pf was
disabled, i.e. pf does not process them in any way. This can be
useful on loopback and other virtual interfaces, when packet
filtering is not desired and can have unexpected effects. For
example:
set skip on lo0
—snip—
Now… I have not used FreeBSD that much. Especially not with jails. Have I
missed something obvious and is too quick to log this? Otherwise, please
enlighten me :)
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list