I ran across a problem while I was upgrading one of the routers I manage from 12.2 to 13.0, and thought I should warn others who might run into the same problem. But before I get to the issue, let me provide the details on how things are set up. Keep in mind I'm not sure everything below is relevant, as I've have limited time to fully discover the scope of the change, but I thought I should include as much as possible in case it matters.
After upgrading to 13.0, I noticed they could no longer reach one another, despite making no changes to my pf.conf. Puzzled, I looked a little deeper and found an error from unbound's side of things: notice: send failed: Permission denied. This made me suspect pf might be involved, and to make a long story short, it was. In 13.0, traffic between these jails was now being sent over the vlan interface instead of over the loopback as it had in the past. Simply changing the interface in the rule to be the vlan instead of the loopback fixed the issue once the new rules were loaded.
While I don't regard this as a bug, especially since the new behavior makes more sense than the old behavior in my opinion, it was an unexpected change while upgrading. As such, I wanted to make other users of pf who might be in a similar situation aware of the potential pitfall when upgrading.
Finally, I'm not sure yet on all the specifics, so this might affect you even if you're not using jails, VLANs, etc. If you've done some testing yourself please post any additional findings, or any questions you have, below.
- The router has multiple vlan(4)s on top of a lagg(4) interface with multiple em(4) interfaces underneath.
- Routing is performed between the VLANs, and several vlan interfaces have aliased IPs on them.
- One vlan interface in particular has numerous IP aliases on it, one for each jail that requires IP connectivity (e.g. unbound(8)).
- At least two of the jails (both hosted on the router in question) need to communicate with one another (e.g. unbound's jail needs to talk to nsd(8)'s to resolve stub zones).
- There's only one lo(4) interface, lo0, and it has no IP aliases and no jails using any addresses on it.
- I'm was not and am not skipping filtering on lo0. Any traffic that needed to be sent over this interface had explicit rules permitting it.
- No jails are using vnet, they are just assigned IP addresses (always aliases) already present on the host.
Code:
pass quick on lo0 inet proto udp from unbound to nsd port 53 keep state
While I don't regard this as a bug, especially since the new behavior makes more sense than the old behavior in my opinion, it was an unexpected change while upgrading. As such, I wanted to make other users of pf who might be in a similar situation aware of the potential pitfall when upgrading.
Finally, I'm not sure yet on all the specifics, so this might affect you even if you're not using jails, VLANs, etc. If you've done some testing yourself please post any additional findings, or any questions you have, below.