Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 Nov 2018 21:30:45 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 233581] Bugg in PF or in PF man-page?
Message-ID:  <bug-233581-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D233581

            Bug ID: 233581
           Summary: Bugg in PF or in PF man-page?
           Product: Base System
           Version: 11.2-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: peo_s@incedo.org

Bugg in PF or in PF man-page? I vote for bug in PF itself=E2=80=A6

Man page says that =E2=80=9Cset skip on lo0=E2=80=9D should ignore all traf=
fic over lo0. This
is not true. It just ignores 127* traffic.


Let us assume the FreeBSD 11.2 host has IP 1.2.3.4. I created a jail and
installed DNS/bind in it. The jail uses share IP with host (i.e no vnet
recompiled kernel)=E2=80=A6 As there is no 127.0.0.1 I had to reconfigure r=
ndc to
listen and use 1.2.3.4 instead of 127.0.0.1 in the jail. I then noted that =
rndc
did not work.

In the FreeBSD main host pf.conf I had to explicit add a pass rule to allow
1.2.3.4 to 1.2.3.4 on lo0. Using tcpdump listening on lo0 I could also see =
the
rndc traffic from 1.2.3.4 to 1.2.3.4 was going over lo0.

So =E2=80=9Cset skip lo0=E2=80=9D does not work as man page says which is=
=E2=80=A6

=E2=80=94snip=E2=80=94
    set skip on <ifspec>
           List interfaces for which packets should not be filtered.  Packe=
ts
           passing in or out on such interfaces are passed as if pf was
           disabled, i.e. pf does not process them in any way.  This can be
           useful on loopback and other virtual interfaces, when packet
           filtering is not desired and can have unexpected effects.  For
           example:

                 set skip on lo0
=E2=80=94snip=E2=80=94


Now=E2=80=A6 I have not used FreeBSD that much. Especially not with jails. =
Have I
missed something obvious and is too quick to log this? Otherwise, please
enlighten me :)

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-233581-227>