Date: Tue, 9 Feb 2021 15:50:47 +0100 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: freebsd-pf@freebsd.org Subject: "set skip on lo" on 12.x and 13.0 Message-ID: <76015004-7980-fb5c-1cf8-60d7d745bdb9@plan-b.pwste.edu.pl>
index | next in thread | raw e-mail
Dear list, I am observing changed behaviour of the rule "set skip on lo". This rule previously allowed for communication between the host and the jail no only on loopback interfaces, but also on shared network interfaces, for example, if a host had address x.x.x.x/24 and jail had address x.x.x.y/32 on the same NIC, the rule above allowed for communication between the host and jail using x.x.x.x and x.x.x.y addresses. I am considering jails without VNET enabled and using the same fib number. Now to allow this kind of communication I had to add "pass quick on lo", but I went out of free states rather quickly, so instead of increasing the state limit, I have changed the method of communication between the host and the jails to utilize only loopback addresses. It's rather not a regression but a change, some people might consider it POLA violation, but probably won't if it gets widely announced. -- Marek Zarychtahelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?76015004-7980-fb5c-1cf8-60d7d745bdb9>