Re: "set skip on lo" on 12.x and 13.0
W dniu 09.02.2021 o 15:55, Kristof Provost pisze:
On 9 Feb 2021, at 15:50, Marek Zarychta wrote:
Dear list,
I am observing changed behaviour of the rule "set skip on lo". This
rule previously allowed for communication between the host and the
jail no only on loopback interfaces, but also on shared network
interfaces, for example, if a host had address x.x.x.x/24 and jail
had address x.x.x.y/32 on the same NIC, the rule above allowed for
communication between the host and jail using x.x.x.x and x.x.x.y
addresses. I am considering jails without VNET enabled and using the
same fib number. Now to allow this kind of communication I had to add
"pass quick on lo", but I went out of free states rather quickly, so
instead of increasing the state limit, I have changed the method of
communication between the host and the jails to utilize only loopback
addresses.
It's rather not a regression but a change, some people might consider
it POLA violation, but probably won't if it gets widely announced.
I’m not aware of the behaviour change you describe.
However, there have been subtle issues around set skip on
that may be confusing you.
See #250994 / 0c156a3c32cd0d9168570da5686ddc96abcbbc5a for some of the
details.
I have seen this fix, but probably never used on affected machine
12.2-STABLE after the MFC of this fix, I have transitioned to
13.0-STABLE instead. Anyway, both: 12.x-STABLE and 11.x-STABLE with "set
skip on lo" were allowing for such communication between jail and host
not only on 127.0.0.0/8 addresses but also on shared NIC addresses.
The behaviour described above was happening with 13.0-STABLE regardless
of using set skip on the group or individual interfaces, I mean "set
skip on lo" and "set skip on {lo0,lo1,lo2,lo3,}". Now, to work
around this I have transitioned to using 127.0.0.0/8 only, but some
other people might get confused.
Kind regards,
--
Marek Zarychta
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: "set skip on lo" on 12.x and 13.0
On 9 Feb 2021, at 15:50, Marek Zarychta wrote: Dear list, I am observing changed behaviour of the rule "set skip on lo". This rule previously allowed for communication between the host and the jail no only on loopback interfaces, but also on shared network interfaces, for example, if a host had address x.x.x.x/24 and jail had address x.x.x.y/32 on the same NIC, the rule above allowed for communication between the host and jail using x.x.x.x and x.x.x.y addresses. I am considering jails without VNET enabled and using the same fib number. Now to allow this kind of communication I had to add "pass quick on lo", but I went out of free states rather quickly, so instead of increasing the state limit, I have changed the method of communication between the host and the jails to utilize only loopback addresses. It's rather not a regression but a change, some people might consider it POLA violation, but probably won't if it gets widely announced. I’m not aware of the behaviour change you describe. However, there have been subtle issues around set skip on that may be confusing you. See #250994 / 0c156a3c32cd0d9168570da5686ddc96abcbbc5a for some of the details. Best regards, Kristof ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
"set skip on lo" on 12.x and 13.0
Dear list, I am observing changed behaviour of the rule "set skip on lo". This rule previously allowed for communication between the host and the jail no only on loopback interfaces, but also on shared network interfaces, for example, if a host had address x.x.x.x/24 and jail had address x.x.x.y/32 on the same NIC, the rule above allowed for communication between the host and jail using x.x.x.x and x.x.x.y addresses. I am considering jails without VNET enabled and using the same fib number. Now to allow this kind of communication I had to add "pass quick on lo", but I went out of free states rather quickly, so instead of increasing the state limit, I have changed the method of communication between the host and the jails to utilize only loopback addresses. It's rather not a regression but a change, some people might consider it POLA violation, but probably won't if it gets widely announced. -- Marek Zarychta ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
