From nobody Tue Oct 19 20:20:54 2021 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9CAF71800164 for ; Tue, 19 Oct 2021 20:21:04 +0000 (UTC) (envelope-from jo@bruelltuete.com) Received: from email.jo-t.de (seppel.jo-t.de [45.132.244.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4HYlW33zcMz4lH9 for ; Tue, 19 Oct 2021 20:21:03 +0000 (UTC) (envelope-from jo@bruelltuete.com) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bruelltuete.com; s=bruelltuete18a; t=1634674037; bh=NdI4At4k6kFA8YiJSjd6B26kBdrwUppgFwh5cc46y0g=; h=Message-ID:Date:MIME-Version:To:From:Subject:From; b=G5+KU8/yYaUGNxiABzVg3cIU2q5gyIqDfOtK3clMQmy2KUZTCUp4/12JPAbtpEstM e5MAESxNIsYcDiy6GDdTSebv6grXWBXDJ/xw0UVEJ/Xg0MdmaR7eIWRPTyPheyyOE1 XMcLBmraqOkqbumXqatT1Yod6/9Z+MY3BRE/oIJYoTHCjUwqpXytwgKZLTX+uxcida 98wcryRP0FMTZS/CqrspRBFkz2CHETomBPeFBpdbmmkvY/ze4jXWjeHshJPXUGKL71 ioIizpl8nDRZhQngN+I4Q/b2R7KjD95N4CwG9Bu9Y/bxjo2ET+97o2gLPNV64CaN43 IFdHsGfTTw02w== Message-ID: Date: Tue, 19 Oct 2021 21:20:54 +0100 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Language: en-GB To: freebsd-stable@freebsd.org Subject: ipfw antispoof differences between 12 and 13 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4HYlW33zcMz4lH9 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bruelltuete.com header.s=bruelltuete18a header.b="G5+KU8/y"; dmarc=pass (policy=reject) header.from=bruelltuete.com; spf=pass (mx1.freebsd.org: domain of jo@bruelltuete.com designates 45.132.244.126 as permitted sender) smtp.mailfrom=jo@bruelltuete.com X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[bruelltuete.com:s=bruelltuete18a]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[bruelltuete.com:+]; DMARC_POLICY_ALLOW(-0.50)[bruelltuete.com,reject]; NEURAL_HAM_SHORT(-1.00)[-0.998]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:197540, ipnet:45.132.244.0/22, country:DE]; MID_RHS_MATCH_FROM(0.00)[] Reply-To: jo@bruelltuete.com From: Johannes Totz via freebsd-stable X-Original-From: Johannes Totz X-ThisMailContainsUnwantedMimeParts: N Hi folks, are there any known differences for how ipfw's antispoof pattern works between 12-stable and 13-stable? When upgrading to 13-stable, I've noticed that ipfw started rejecting packets coming from an epair interface, based on an antispoof rule. On 12-stable, packets sent via epair (e.g. from inside a jail) do not match, ie do not get rejected: ipfw add deny log ip from any to any not antispoof in On 13-stable, those packets suddenly match and get rejected. Are epair interfaces no longer considered "directly connected"? One odd thing I've noticed (since 12-stable) with ipfw logs is that packets from an epair interface are logged as coming via loopback. Here's an example (on 13-stable), from /var/security.log: host kernel: ipfw: 3600 Accept UDP x.x.x.x:58297 x.x.x.x:53 out via lo0 host kernel: ipfw: 500 Deny UDP x.x.x.x:58297 x.x.x.x:53 in via lo0 host kernel: ipfw: 3600 Accept UDP x.x.x.x:19109 x.x.x.x:53 out via lo0 host kernel: ipfw: 500 Deny UDP x.x.x.x:19109 x.x.x.x:53 in via lo0 Rule 3600 is an explicit accept for that epair interface. Rule 500 is the antispoof rule above. The address x.x.x.x is explicitly configured for one half of this epair interface. There's a paragraph in the ipfw manpage that sounds like this epair vs loopback confusing might be the cause of it. Any thoughts? thanks!