"set skip on lo" on 12.x and 13.0
Marek Zarychta
zarychtam at plan-b.pwste.edu.pl
Tue Feb 9 15:44:49 UTC 2021
W dniu 09.02.2021 o 15:55, Kristof Provost pisze:
> On 9 Feb 2021, at 15:50, Marek Zarychta wrote:
>> Dear list,
>>
>> I am observing changed behaviour of the rule "set skip on lo". This
>> rule previously allowed for communication between the host and the
>> jail no only on loopback interfaces, but also on shared network
>> interfaces, for example, if a host had address x.x.x.x/24 and jail
>> had address x.x.x.y/32 on the same NIC, the rule above allowed for
>> communication between the host and jail using x.x.x.x and x.x.x.y
>> addresses. I am considering jails without VNET enabled and using the
>> same fib number. Now to allow this kind of communication I had to add
>> "pass quick on lo", but I went out of free states rather quickly, so
>> instead of increasing the state limit, I have changed the method of
>> communication between the host and the jails to utilize only loopback
>> addresses.
>>
>> It's rather not a regression but a change, some people might consider
>> it POLA violation, but probably won't if it gets widely announced.
>>
> I’m not aware of the behaviour change you describe.
>
> However, there have been subtle issues around set skip on <ifgroup>
> that may be confusing you.
> See #250994 / 0c156a3c32cd0d9168570da5686ddc96abcbbc5a for some of the
> details.
>
I have seen this fix, but probably never used on affected machine
12.2-STABLE after the MFC of this fix, I have transitioned to
13.0-STABLE instead. Anyway, both: 12.x-STABLE and 11.x-STABLE with "set
skip on lo" were allowing for such communication between jail and host
not only on 127.0.0.0/8 addresses but also on shared NIC addresses.
The behaviour described above was happening with 13.0-STABLE regardless
of using set skip on the group or individual interfaces, I mean "set
skip on lo" and "set skip on {lo0,lo1,lo2,lo3,....}". Now, to work
around this I have transitioned to using 127.0.0.0/8 only, but some
other people might get confused.
Kind regards,
--
Marek Zarychta
More information about the freebsd-pf
mailing list