On 9 Feb 2021, at 15:50, Marek Zarychta wrote:
Dear list,
I am observing changed behaviour of the rule "set skip on lo". This
rule previously allowed for communication between the host and the
jail no only on loopback interfaces, but also on shared network
interfaces, for example, if a host had address x.x.x.x/24 and jail had
address x.x.x.y/32 on the same NIC, the rule above allowed for
communication between the host and jail using x.x.x.x and x.x.x.y
addresses. I am considering jails without VNET enabled and using the
same fib number. Now to allow this kind of communication I had to add
"pass quick on lo", but I went out of free states rather quickly, so
instead of increasing the state limit, I have changed the method of
communication between the host and the jails to utilize only loopback
addresses.
It's rather not a regression but a change, some people might consider
it POLA violation, but probably won't if it gets widely announced.
I’m not aware of the behaviour change you describe.
However, there have been subtle issues around set skip on <ifgroup> that
may be confusing you.
See #250994 / 0c156a3c32cd0d9168570da5686ddc96abcbbc5a for some of the
details.
Best regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
