APIPA broadcasts forwarded by route-to
If there is a host with an APIPA IP sending broadcasts that match a route-to rule, the traffic gets forwarded by route-to. antispoof should block that scenario, since that IP subnet isn't defined on the source interface. We should change route-to should never forward anything destined to a broadcast MAC address to prevent such scenarios.
To work around, just add a rule to block APIPA, 169.254.0.0/16. Or ideally don't use overly permissive rulesets, the default rules will not permit this to happen.
block IPv4 link-local. Per RFC 3927, hosts "MUST NOT send the packet to
any router for forwarding", and "any network device receiving such a
packet MUST NOT forward it". FreeBSD won't route it (route-to can override in
some circumstances), so it can't be in use as a real network anywhere with
the possible exception of local-only networks. Unlikely any such situation
Fixes ticket #2073
#3 Updated by Brandon Jackson about 3 years ago
Except with no way to disable this rule, this can affect bridged interfaces, and since the rule is processed so far in advance you can not make a rule to allow said traffic without giving up filtering the bridge completely. Also can cause spam to the default block log.