From nobody Thu Oct 21 00:46:01 2021
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 36E6C1815647
	for <freebsd-stable@mlmmj.nyi.freebsd.org>; Thu, 21 Oct 2021 00:46:13 +0000 (UTC)
	(envelope-from jo@bruelltuete.com)
Received: from email.jo-t.de (seppel.jo-t.de [45.132.244.126])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HZTLW4Tthz3RGh
	for <freebsd-stable@freebsd.org>; Thu, 21 Oct 2021 00:46:11 +0000 (UTC)
	(envelope-from jo@bruelltuete.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bruelltuete.com;
	s=bruelltuete18a; t=1634776325;
	bh=+u7Ziy5v+acIu7ggCuJq1MDE0bHeXX7Q37YjLCvbnVs=;
	h=Message-ID:Date:MIME-Version:Subject:From:To:References:From;
	b=EXPLwR1ytWdndim+ZGb50CAkI27MMN7xouSC1mWyDrcjLLPC/ZGwLg43hzxTHgQsN
	 7WER23X8nWnyb47RBn+nvKdvzgZxu9IRIy03Ji+/D+2WyxdQOaZLUVho3hmoCZE8oQ
	 QyWFB1/of7sWLax9RJke/bYJW2MJSxhfL9sJG8f1FZjglxLaPQYIaqegBH+E4KvAVS
	 gbXtX/3itOBAv1EdxA2Rwtno/E1rOBzGYL99rI1poLm76Hq0buTcVBABgZFdi7/5K2
	 m4CMY6dXKJIhkqsWrbizf7d5qpJfodt/lWe3FqCtJ0Z83DQArCRyEzMlmL3MXGGwwT
	 t/8r/Id1qqePw==
Message-ID: <107ab48e-b3ae-0c3a-fd07-f4867e5fc962@bruelltuete.com>
Date: Thu, 21 Oct 2021 01:46:01 +0100
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
Sender: owner-freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
MIME-Version: 1.0
Subject: Re: ipfw antispoof differences between 12 and 13
Content-Language: en-GB
To: freebsd-stable@freebsd.org
References: <cca95db7-a298-dc6f-a478-4821fa94e129@bruelltuete.com>
In-Reply-To: <cca95db7-a298-dc6f-a478-4821fa94e129@bruelltuete.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4HZTLW4Tthz3RGh
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=bruelltuete.com header.s=bruelltuete18a header.b=EXPLwR1y;
	dmarc=pass (policy=reject) header.from=bruelltuete.com;
	spf=pass (mx1.freebsd.org: domain of jo@bruelltuete.com designates 45.132.244.126 as permitted sender) smtp.mailfrom=jo@bruelltuete.com
X-Spamd-Result: default: False [-2.00 / 15.00];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 R_DKIM_ALLOW(-0.20)[bruelltuete.com:s=bruelltuete18a];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 R_SPF_ALLOW(-0.20)[+mx];
	 MIME_GOOD(-0.10)[text/plain];
	 TO_DN_NONE(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 RCPT_COUNT_ONE(0.00)[1];
	 NEURAL_SPAM_SHORT(1.00)[1.000];
	 DKIM_TRACE(0.00)[bruelltuete.com:+];
	 DMARC_POLICY_ALLOW(-0.50)[bruelltuete.com,reject];
	 RCVD_COUNT_ZERO(0.00)[0];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:197540, ipnet:45.132.244.0/22, country:DE];
	 MID_RHS_MATCH_FROM(0.00)[]
Reply-To: jo@bruelltuete.com
From: Johannes Totz via freebsd-stable <freebsd-stable@freebsd.org>
X-Original-From: Johannes Totz <jo@bruelltuete.com>
X-ThisMailContainsUnwantedMimeParts: N

On 19/10/2021 21:20, Johannes Totz wrote:
> Hi folks,
> 
> are there any known differences for how ipfw's antispoof pattern works 
> between 12-stable and 13-stable?
> 
> When upgrading to 13-stable, I've noticed that ipfw started rejecting 
> packets coming from an epair interface, based on an antispoof rule.
> 
> On 12-stable, packets sent via epair (e.g. from inside a jail) do not 
> match, ie do not get rejected:
> 
> ipfw add deny log ip from any to any not antispoof in
> 
> On 13-stable, those packets suddenly match and get rejected.
> 
> Are epair interfaces no longer considered "directly connected"?
> 
> 
> One odd thing I've noticed (since 12-stable) with ipfw logs is that 
> packets from an epair interface are logged as coming via loopback. 
> Here's an example (on 13-stable), from /var/security.log:
> 
> host kernel: ipfw: 3600 Accept UDP x.x.x.x:58297 x.x.x.x:53 out via lo0
> host kernel: ipfw: 500 Deny UDP x.x.x.x:58297 x.x.x.x:53 in via lo0
> host kernel: ipfw: 3600 Accept UDP x.x.x.x:19109 x.x.x.x:53 out via lo0
> host kernel: ipfw: 500 Deny UDP x.x.x.x:19109 x.x.x.x:53 in via lo0
> 
> Rule 3600 is an explicit accept for that epair interface.
> Rule 500 is the antispoof rule above. The address x.x.x.x is explicitly 
> configured for one half of this epair interface.
> 
> There's a paragraph in the ipfw manpage that sounds like this epair vs 
> loopback confusing might be the cause of it.

Ah nvm, it was a routing mistake. Fixing up the routing table by hand 
makes things work again with antispoof and the ipfw log looks much 
better as well.