Re: "set skip on lo" on 12.x and 13.0

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Marek Zarychta <zarychtam_at_plan-b.pwste.edu.pl>
Date: Fri, 08 Oct 2021 10:54:31 UTC
W dniu 09.02.2021 o 16:44, Marek Zarychta pisze:
> W dniu 09.02.2021 o 15:55, Kristof Provost pisze:
>> On 9 Feb 2021, at 15:50, Marek Zarychta wrote:
>>> Dear list,
>>>
>>> I am observing changed behaviour of the rule "set skip on lo". This
>>> rule previously allowed for communication between the host and the
>>> jail no only on loopback interfaces, but also on shared network
>>> interfaces, for example, if a host had address x.x.x.x/24 and jail
>>> had address x.x.x.y/32 on the same NIC, the rule above allowed for
>>> communication between the host and jail using x.x.x.x and x.x.x.y
>>> addresses. I am considering jails without VNET enabled and using the
>>> same fib number. Now to allow this kind of communication I had to add
>>> "pass quick on lo", but I went out of free states rather quickly, so
>>> instead of increasing the state limit, I have changed the method of
>>> communication between the host and the jails to utilize only loopback
>>> addresses.
>>>
>>> It's rather not a regression but a change, some people might consider
>>> it POLA violation, but probably won't if it gets widely announced.
>>>
>> I’m not aware of the behaviour change you describe.
>>
>> However, there have been subtle issues around set skip on <ifgroup>
>> that may be confusing you.
>> See #250994 / 0c156a3c32cd0d9168570da5686ddc96abcbbc5a for some of the
>> details.
>>
> 
> I have seen this fix, but probably never used on affected machine
> 12.2-STABLE after the MFC of this fix, I have transitioned to
> 13.0-STABLE instead. Anyway, both: 12.x-STABLE and 11.x-STABLE with "set
> skip on lo" were allowing for such communication between jail and host
> not only on 127.0.0.0/8 addresses but also on shared NIC addresses.
> 
> The behaviour described above was happening with 13.0-STABLE regardless
> of using set skip on the group or individual interfaces, I mean  "set
> skip on lo" and "set skip on {lo0,lo1,lo2,lo3,....}". Now, to work
> around this I have transitioned to using 127.0.0.0/8 only, but some
> other people might get confused.
> 

The original problem has been solved a long time ago in different way,
but the right solution was to remove the rule: "antispoof quick for lo"
which followed "set skip on lo". In FreeBSD 13.0 and later this ruleset
adds among others: "block drop in quick on ! lo inet from 127.0.0.0/8 to
any" that prevented communication between the host and jails.
I have neither 12 nor earlier versions to test this, but certainly, it
worked different way there.

So concluding this 8 months old thread: either "set skip on lo" worked a
different way preventing "antispoof quick for lo" load or this erroneous
contradiction was worked around a different way.

Thank you for help in solving this.

Kind regards,
-- 
Marek Zarychta