Date: Tue, 09 Feb 2021 15:55:57 +0100 From: "Kristof Provost" <kp@FreeBSD.org> To: "Marek Zarychta" <zarychtam@plan-b.pwste.edu.pl> Cc: freebsd-pf@freebsd.org Subject: Re: "set skip on lo" on 12.x and 13.0 Message-ID: <F0076C8D-340F-448B-BC41-2960F38FA779@FreeBSD.org> In-Reply-To: <76015004-7980-fb5c-1cf8-60d7d745bdb9@plan-b.pwste.edu.pl> References: <76015004-7980-fb5c-1cf8-60d7d745bdb9@plan-b.pwste.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9 Feb 2021, at 15:50, Marek Zarychta wrote: > Dear list, > > I am observing changed behaviour of the rule "set skip on lo". This > rule previously allowed for communication between the host and the > jail no only on loopback interfaces, but also on shared network > interfaces, for example, if a host had address x.x.x.x/24 and jail had > address x.x.x.y/32 on the same NIC, the rule above allowed for > communication between the host and jail using x.x.x.x and x.x.x.y > addresses. I am considering jails without VNET enabled and using the > same fib number. Now to allow this kind of communication I had to add > "pass quick on lo", but I went out of free states rather quickly, so > instead of increasing the state limit, I have changed the method of > communication between the host and the jails to utilize only loopback > addresses. > > It's rather not a regression but a change, some people might consider > it POLA violation, but probably won't if it gets widely announced. > I’m not aware of the behaviour change you describe. However, there have been subtle issues around set skip on <ifgroup> that may be confusing you. See #250994 / 0c156a3c32cd0d9168570da5686ddc96abcbbc5a for some of the details. Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F0076C8D-340F-448B-BC41-2960F38FA779>