"set skip on lo" on 12.x and 13.0
Kristof Provost
kp at FreeBSD.org
Tue Feb 9 14:56:01 UTC 2021
On 9 Feb 2021, at 15:50, Marek Zarychta wrote:
> Dear list,
>
> I am observing changed behaviour of the rule "set skip on lo". This
> rule previously allowed for communication between the host and the
> jail no only on loopback interfaces, but also on shared network
> interfaces, for example, if a host had address x.x.x.x/24 and jail had
> address x.x.x.y/32 on the same NIC, the rule above allowed for
> communication between the host and jail using x.x.x.x and x.x.x.y
> addresses. I am considering jails without VNET enabled and using the
> same fib number. Now to allow this kind of communication I had to add
> "pass quick on lo", but I went out of free states rather quickly, so
> instead of increasing the state limit, I have changed the method of
> communication between the host and the jails to utilize only loopback
> addresses.
>
> It's rather not a regression but a change, some people might consider
> it POLA violation, but probably won't if it gets widely announced.
>
I’m not aware of the behaviour change you describe.
However, there have been subtle issues around set skip on <ifgroup> that
may be confusing you.
See #250994 / 0c156a3c32cd0d9168570da5686ddc96abcbbc5a for some of the
details.
Best regards,
Kristof
More information about the freebsd-pf
mailing list