On 19/10/2021 21:20, Johannes Totz wrote:
Hi folks,
are there any known differences for how ipfw's antispoof pattern works
between 12-stable and 13-stable?
When upgrading to 13-stable, I've noticed that ipfw started rejecting
packets coming from an epair interface, based on an antispoof rule.
On 12-stable, packets sent via epair (e.g. from inside a jail) do not
match, ie do not get rejected:
ipfw add deny log ip from any to any not antispoof in
On 13-stable, those packets suddenly match and get rejected.
Are epair interfaces no longer considered "directly connected"?
One odd thing I've noticed (since 12-stable) with ipfw logs is that
packets from an epair interface are logged as coming via loopback.
Here's an example (on 13-stable), from /var/security.log:
host kernel: ipfw: 3600 Accept UDP x.x.x.x:58297 x.x.x.x:53 out via lo0
host kernel: ipfw: 500 Deny UDP x.x.x.x:58297 x.x.x.x:53 in via lo0
host kernel: ipfw: 3600 Accept UDP x.x.x.x:19109 x.x.x.x:53 out via lo0
host kernel: ipfw: 500 Deny UDP x.x.x.x:19109 x.x.x.x:53 in via lo0
Rule 3600 is an explicit accept for that epair interface.
Rule 500 is the antispoof rule above. The address x.x.x.x is explicitly
configured for one half of this epair interface.
There's a paragraph in the ipfw manpage that sounds like this epair vs
loopback confusing might be the cause of it.
Ah nvm, it was a routing mistake. Fixing up the routing table by hand
makes things work again with antispoof and the ipfw log looks much
better as well.
