Date: Tue, 9 Feb 2021 15:50:47 +0100 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: freebsd-pf@freebsd.org Subject: "set skip on lo" on 12.x and 13.0 Message-ID: <76015004-7980-fb5c-1cf8-60d7d745bdb9@plan-b.pwste.edu.pl>
next in thread | raw e-mail | index | archive | help
Dear list, I am observing changed behaviour of the rule "set skip on lo". This rule = previously allowed for communication between the host and the jail no=20 only on loopback interfaces, but also on shared network interfaces, for=20 example, if a host had address x.x.x.x/24 and jail had address=20 x.x.x.y/32 on the same NIC, the rule above allowed for communication=20 between the host and jail using x.x.x.x and x.x.x.y addresses. I am=20 considering jails without VNET enabled and using the same fib number.=20 Now to allow this kind of communication I had to add "pass quick on lo", = but I went out of free states rather quickly, so instead of increasing=20 the state limit, I have changed the method of communication between the=20 host and the jails to utilize only loopback addresses. It's rather not a regression but a change, some people might consider it = POLA violation, but probably won't if it gets widely announced. --=20 Marek Zarychta
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?76015004-7980-fb5c-1cf8-60d7d745bdb9>