From owner-freebsd-pf@freebsd.org  Tue Feb  9 14:50:59 2021
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9E528541131
 for <freebsd-pf@mailman.nyi.freebsd.org>; Tue,  9 Feb 2021 14:50:59 +0000 (UTC)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl
 [IPv6:2001:678:618::40])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "plan-b.pwste.edu.pl", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DZm6V0zRJz56MC
 for <freebsd-pf@freebsd.org>; Tue,  9 Feb 2021 14:50:57 +0000 (UTC)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from fomalhaut.potoki.eu ([IPv6:2001:470:71:d47:593b:876e:f:1387])
 (authenticated bits=0)
 by plan-b.pwste.edu.pl (8.16.1/8.16.1) with ESMTPSA id 119EomfR043061
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO)
 for <freebsd-pf@freebsd.org>; Tue, 9 Feb 2021 15:50:48 +0100 (CET)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
 s=plan-b-mailer; t=1612882248;
 bh=SwGLqSlpdSFi4tm1xFik+OApNLNrURPFnuz1/PstS2c=;
 h=To:From:Subject:Date;
 b=tAB03J8AeDipXx4S4s5eS96CLlW9UnKtBAaNKC0Bc0tuN+XRsRxYNWl6M/KW8WGWs
 Y8Sx1OELTBfE1B/dqiNt6ULjV5l8NZesvUHh4jUGzvBlHL6OLAHImeXt82Gt0aWz2Z
 B6A4xCRSpfJcDR0ghwS9lD6oQ7yjmfSYIz64hBMDt3bRPCv1Gh0NY6Mg86uFfwoRL/
 1yEnm9HhAkqxjuHuhNBDY6rpH4mCDTvDMeRat7pnxeOgw4uO7+NWU0bcobvxjfHkww
 zdaprVAOGCYWHCD350EWgXxSFWR0Ku6cUhE6PPglrH4+3oKgkP6ktQXMNJjFyka/SX
 d1g6HhVgXpvfQ==
X-Authentication-Warning: plan-b.pwste.edu.pl: Host
 [IPv6:2001:470:71:d47:593b:876e:f:1387] claimed to be fomalhaut.potoki.eu
To: freebsd-pf@freebsd.org
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Subject: "set skip on lo" on 12.x and 13.0
Message-ID: <76015004-7980-fb5c-1cf8-60d7d745bdb9@plan-b.pwste.edu.pl>
Date: Tue, 9 Feb 2021 15:50:47 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101
 Thunderbird/78.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Rspamd-Queue-Id: 4DZm6V0zRJz56MC
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer
 header.b=tAB03J8A; 
 dmarc=pass (policy=none) header.from=plan-b.pwste.edu.pl;
 spf=none (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl has no SPF
 policy when checking 2001:678:618::40)
 smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl
X-Spamd-Result: default: False [-5.80 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 HAS_XAW(0.00)[]; TO_DN_NONE(0.00)[];
 DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+];
 DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,none];
 NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+];
 RBL_DBL_DONT_QUERY_IPS(0.00)[2001:678:618::40:from];
 ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL];
 MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer];
 FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[pwste.edu.pl:dkim];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000];
 MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org];
 RCPT_COUNT_ONE(0.00)[1];
 SPAMHAUS_ZRD(0.00)[2001:678:618::40:from:127.0.2.255];
 R_SPF_NA(0.00)[no SPF record]; RCVD_COUNT_TWO(0.00)[2];
 RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-pf]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2021 14:50:59 -0000

Dear list,

I am observing changed behaviour of the rule "set skip on lo". This rule =

previously allowed for communication between the host and the jail no=20
only on loopback interfaces, but also on shared network interfaces, for=20
example, if a host had address x.x.x.x/24 and jail had address=20
x.x.x.y/32 on the same NIC, the rule above allowed for communication=20
between the host and jail using x.x.x.x and x.x.x.y addresses. I am=20
considering jails without VNET enabled and using the same fib number.=20
Now to allow this kind of communication I had to add "pass quick on lo", =

but I went out of free states rather quickly, so instead of increasing=20
the state limit, I have changed the method of communication between the=20
host and the jails to utilize only loopback addresses.

It's rather not a regression but a change, some people might consider it =

POLA violation, but probably won't if it gets widely announced.

--=20

Marek Zarychta