From owner-freebsd-bugs@freebsd.org Tue Nov 27 21:30:48 2018 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC4F41139CEE for ; Tue, 27 Nov 2018 21:30:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 50FFB6EDAA for ; Tue, 27 Nov 2018 21:30:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 13ACD1139CED; Tue, 27 Nov 2018 21:30:47 +0000 (UTC) Delivered-To: bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E547C1139CEC for ; Tue, 27 Nov 2018 21:30:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 84B226EDA4 for ; Tue, 27 Nov 2018 21:30:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id B7040DE7C for ; Tue, 27 Nov 2018 21:30:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id wARLUj4Y027756 for ; Tue, 27 Nov 2018 21:30:45 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id wARLUj4M027755 for bugs@FreeBSD.org; Tue, 27 Nov 2018 21:30:45 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 233581] Bugg in PF or in PF man-page? Date: Tue, 27 Nov 2018 21:30:45 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: peo_s@incedo.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Rspamd-Queue-Id: 50FFB6EDAA X-Spamd-Result: default: False [2.05 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_SPAM_LONG(0.62)[0.618,0]; NEURAL_SPAM_SHORT(0.73)[0.727,0]; NEURAL_SPAM_MEDIUM(0.71)[0.707,0]; ASN(0.00)[asn:10310, ipnet:2001:1900:2254::/48, country:US] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2018 21:30:48 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D233581 Bug ID: 233581 Summary: Bugg in PF or in PF man-page? Product: Base System Version: 11.2-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: peo_s@incedo.org Bugg in PF or in PF man-page? I vote for bug in PF itself=E2=80=A6 Man page says that =E2=80=9Cset skip on lo0=E2=80=9D should ignore all traf= fic over lo0. This is not true. It just ignores 127* traffic. Let us assume the FreeBSD 11.2 host has IP 1.2.3.4. I created a jail and installed DNS/bind in it. The jail uses share IP with host (i.e no vnet recompiled kernel)=E2=80=A6 As there is no 127.0.0.1 I had to reconfigure r= ndc to listen and use 1.2.3.4 instead of 127.0.0.1 in the jail. I then noted that = rndc did not work. In the FreeBSD main host pf.conf I had to explicit add a pass rule to allow 1.2.3.4 to 1.2.3.4 on lo0. Using tcpdump listening on lo0 I could also see = the rndc traffic from 1.2.3.4 to 1.2.3.4 was going over lo0. So =E2=80=9Cset skip lo0=E2=80=9D does not work as man page says which is= =E2=80=A6 =E2=80=94snip=E2=80=94 set skip on List interfaces for which packets should not be filtered. Packe= ts passing in or out on such interfaces are passed as if pf was disabled, i.e. pf does not process them in any way. This can be useful on loopback and other virtual interfaces, when packet filtering is not desired and can have unexpected effects. For example: set skip on lo0 =E2=80=94snip=E2=80=94 Now=E2=80=A6 I have not used FreeBSD that much. Especially not with jails. = Have I missed something obvious and is too quick to log this? Otherwise, please enlighten me :) --=20 You are receiving this mail because: You are the assignee for the bug.=