From owner-freebsd-net@freebsd.org Mon Jan 4 02:35:16 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C55944C869D; Mon, 4 Jan 2021 02:35:16 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8KVD0G0Dz3N2Q; Mon, 4 Jan 2021 02:35:15 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=iJhmXBP6o1jnSv6VKH2hO3EAFqbiZsZwGikU/+x9sUA=; b=nBgyIMCThQC/GnGZh2C0HOSxI0 ooKCnlD2j8wYJowT6KltFxntlMsOhQ5DyWeP2YDw20o5A3TXderjEn7yYKmRaM4+SPVxx0wP5kU6/ 9IQxR/Y/Vy1mU77UoslIQ1ypSivD4m4tk6K2CL4zVkS8trmX5J8sZsIswDP9IXZHHGpY=; Received: from vas by admin.sibptus.ru with local (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kwFiF-0009YK-45; Mon, 04 Jan 2021 09:35:15 +0700 Date: Mon, 4 Jan 2021 09:35:15 +0700 From: Victor Sudakov To: freebsd-questions@freebsd.org, freebsd-net@freebsd.org Subject: Re: FreeBSD does not reply to IPv6 Neighbor Solicitations Message-ID: <20210104023515.GB36180@admin.sibptus.ru> References: <20210102145727.GA62235@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KFztAG8eRSV9hGtP" Content-Disposition: inline In-Reply-To: <20210102145727.GA62235@admin.sibptus.ru> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 X-Rspamd-Queue-Id: 4D8KVD0G0Dz3N2Q X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=nBgyIMCT; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-6.10 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:19f0:5001:21dc::10:from]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; SPAMHAUS_ZRD(0.00)[2001:19f0:5001:21dc::10:from:127.0.2.255]; DKIM_TRACE(0.00)[sibptus.ru:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions,freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2021 02:35:16 -0000 --KFztAG8eRSV9hGtP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Victor Sudakov wrote: > Dear Colleagues, >=20 > Why could it be that a FreeBSD 12.2 host does not reply to ICMPv6 > Neighbor Solicitations from the router? Any ideas please? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --KFztAG8eRSV9hGtP Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJf8n7jAAoJEA2k8lmbXsY0YQIH/3QGmUEijtbvaO1AZugywN2m zV1vhD1AY4S8r/BwjpTO8QFxFIFvikiLxsS1n7eWT7ZD9FIPRcr3sA3ocU2JNbo8 jPgixeXH1E9Wc0wOMIFPw9h2e8fo7PCH98eKvG0lsn170qCisY10x5g1cXX738bn xpltfn5/pl/3LUhF5XKUfAodu/hgw0M//JPtdHcC16whn3ETOPG8xQCyrOdM65BR FVPSck1r7KLOASq4+z58+REJKbt4Cnep3JjxrYeVPhhaxZA7XHpFfawk5j3TYxI1 Nygdy76cwEr0Wiki3FxWvUcmo2Sg3oG2xn3hhdFviOEvuQc6Qtm8bf9EGZ/zJJ8= =nVu3 -----END PGP SIGNATURE----- --KFztAG8eRSV9hGtP-- From owner-freebsd-net@freebsd.org Mon Jan 4 03:42:03 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 274AA4C9B68 for ; Mon, 4 Jan 2021 03:42:03 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8LzG1zjcz3hYC for ; Mon, 4 Jan 2021 03:42:02 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-ej1-x62f.google.com with SMTP id t16so5567023ejf.13 for ; Sun, 03 Jan 2021 19:42:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=+AlsEpYssSL3VktHAD98ltOCL85hXkokgrRPxk3oTF8=; b=2IdesgzdmMF9Hmtv/u0Amh6xyYDC1a6yEiHFf+P/P5c0A4Roxvv3DGzdlDRudn8lEd knOgPwgIlLxx7T/1oB5J65HWVyfAlQM3UPHxTWFK6449TEyKYNFPVwr38tV++e0E8HHg XxmTzfrcfN7lcX4P5JBJF/3p2ogyOQYF0hFLWvCWzQ2WpszklFXvbsuZEVZdCGaizC0m uatfhn7ubExWZljeU+bIVJTq/4yhAzFx0EOT+J6w+niN4qR5JaYLQa5woEVsjHo9wjKw oXM1GbVMAwI5kcb+I0bCWbrtrKp5bvM3nsvbAclxlZuIu9Is9vQo356LKAHOjJEH7UI4 XP7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=+AlsEpYssSL3VktHAD98ltOCL85hXkokgrRPxk3oTF8=; b=tz6jZ1KK7MrPrZuediDoSrByIGYRCBt1FM4XtDwfoI3YvlkWdOto4A8S7RMbvyoRd/ VejG3A0zS19X3o69gJJ64wFoHXhmgTtaJSUw949M/40mV7AADeRq6vruBvmx3yih4Z1O Sns6eDjaTqipSY6VXzS4+kZQlkKVUxAdXViMOQgL7zYaJ7MelBYrYRKe72EIiMH+Dsqx wuT3Ee8xS8+80DcQinR2DtA0Gy82zilsuPgtsy2nmW4ve9RJeCT5KbmMke9M5gs+gX15 97AmDOe7fPFC3q7zEwCohWudNjvmBF5iHN6B8DzBr6d6Dz4nQ59Pi96A7FdMCXd2Q+ca v6hA== X-Gm-Message-State: AOAM531/y7jpXPZbnrPoKAIAbrFhNvEiMPXFQk+GcQRFM+EAK1qgFmkY BKuRj35ZhVJqgcy3THSPQnuQEZtvuSIvLJqmFNRv1S2yDgYrkGP/ X-Google-Smtp-Source: ABdhPJwjhjWJscGUdAAA0AbMrNkljE+3UAjNteuMvexvPX+T6znmKMJ8UljF9LqlyCTMgZ57Xx4r6Uj+yK6luxMB2fo= X-Received: by 2002:a17:906:15c7:: with SMTP id l7mr66181835ejd.226.1609731720774; Sun, 03 Jan 2021 19:42:00 -0800 (PST) MIME-Version: 1.0 References: <20210102145727.GA62235@admin.sibptus.ru> <20210104023515.GB36180@admin.sibptus.ru> In-Reply-To: <20210104023515.GB36180@admin.sibptus.ru> From: Michael Sierchio Date: Sun, 3 Jan 2021 19:41:24 -0800 Message-ID: Subject: Re: FreeBSD does not reply to IPv6 Neighbor Solicitations To: "freebsd-net@freebsd.org" , FreeBSD Questions X-Rspamd-Queue-Id: 4D8LzG1zjcz3hYC X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=2Idesgzd; dmarc=none; spf=none (mx1.freebsd.org: domain of kudzu@tenebras.com has no SPF policy when checking 2a00:1450:4864:20::62f) smtp.mailfrom=kudzu@tenebras.com X-Spamd-Result: default: False [-3.30 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::62f:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::62f:from]; NEURAL_HAM_SHORT(-1.00)[-0.999]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::62f:from]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2021 03:42:03 -0000 On Sun, Jan 3, 2021 at 6:35 PM Victor Sudakov wrote: > > Why could it be that a FreeBSD 12.2 host does not reply to ICMPv6 > > Neighbor Solicitations from the router? > > Any ideas please? > > Are you permitting the required udp and icmp? These could be tighter, but ###########################################################################= ##### # dhcp / bootp $FW add 00128 allow udp from any 67,68,546,547 to any 67,68,546,547 ###########################################################################= ##### # Neighbor Discovery Protocol $FW add 00129 allow ipv6-icmp from any to any icmp6types 133,134,135,136,13= 7 The method I have found to be reliable is to use dhcp6c, which requires the pkg 'dhcp6' So for a FreeBSD host in ec2, for example: ifconfig_eth0=3D"SYNCDHCP" ipv6_activate_all_interfaces=3D"YES" ifconfig_eth0_ipv6=3D"inet6 accept_rtadv up" dhcp6c_enable=3D"YES" dhcp6c_interfaces=3D"eth0" and /usr/local/etc/dhcp6c.conf is simple interface eth0 { send ia-na 1; send rapid-commit; }; id-assoc na 1 { }; For a more complicated example, I have a firewall that gets its addresses from my cable company: ipv6_gateway_enable=3D"YES" ipv6_activate_all_interfaces=3D"YES" rtadvd_enable=3D"YES" rtadvd_interfaces=3D"eth1 eth2" dhcp6c_enable=3D"YES" dhcp6c_interfaces=3D"eth0" ipv6_default_interface=3D"eth1" and interface eth0 { send ia-na 1; send ia-pd 1; send rapid-commit; }; id-assoc pd 1 { prefix ::/64 1800; prefix-interface eth1 { sla-id 0; sla-len 0; }; prefix-interface eth2 { sla-id 1; sla-len 0; }; }; id-assoc na 1 { }; --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata From owner-freebsd-net@freebsd.org Mon Jan 4 04:33:06 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A87BE4CA8A2 for ; Mon, 4 Jan 2021 04:33:06 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8N695m0Kz3kxG for ; Mon, 4 Jan 2021 04:33:05 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=Ewc86AJjgLJGfSmw+Rj5HkUs7nl6xVRIrXH3vKSta58=; b=CDzkd2lgfhtiOcbTW2tw86wGmw bUwmn+4+JxlUEK9MpZOAaet6/O4dUmW8d+/gYFrnlORtDin+M7XkkWSbIQWxR54ZZWxeGYKPvenaG 6PEftVy6nzmGMxsi30X8ZKQfhguqnJQb+k9VB+Nq4WmDoLZty47NBDpEaHZOAZcVHDg4=; Received: from vas by admin.sibptus.ru with local (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kwHYF-000AjV-92 for freebsd-net@freebsd.org; Mon, 04 Jan 2021 11:33:03 +0700 Date: Mon, 4 Jan 2021 11:33:03 +0700 From: Victor Sudakov To: freebsd-net@freebsd.org Subject: Re: FreeBSD does not reply to IPv6 Neighbor Solicitations Message-ID: <20210104043303.GA40932@admin.sibptus.ru> References: <20210102145727.GA62235@admin.sibptus.ru> <20210104023515.GB36180@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 X-Rspamd-Queue-Id: 4D8N695m0Kz3kxG X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=CDzkd2lg; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-4.10 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:19f0:5001:21dc::10:from]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:19f0:5001:21dc::10:from:127.0.2.255]; NEURAL_SPAM_SHORT(1.00)[1.000]; DKIM_TRACE(0.00)[sibptus.ru:+]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2021 04:33:06 -0000 --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Michael Sierchio wrote: > On Sun, Jan 3, 2021 at 6:35 PM Victor Sudakov wrote: >=20 > > > Why could it be that a FreeBSD 12.2 host does not reply to ICMPv6 > > > Neighbor Solicitations from the router? > > > > Any ideas please? > > > > > Are you permitting the required udp and icmp? These could be tighter, but >=20 > #########################################################################= ####### >=20 > # dhcp / bootp >=20 > $FW add 00128 allow udp from any 67,68,546,547 to any 67,68,546,547 There is no firewall on the FreeBSD host in question. There is no need, the host is on the LAN of a Mikrotik router. >=20 > The method I have found to be reliable is to use dhcp6c, which requires t= he > pkg 'dhcp6' Why? On the host in question, I have a statically configured global IPv6 address, and auto_linklocal enabled on all interfaces: $ ifconfig re1 re1: flags=3D8843 metric 0 mtu 1500 options=3D8209b ether c4:12:f5:33:c9:7c inet 192.168.170.5/24 broadcast 192.168.170.255 inet6 fe80::c612:f5ff:fe33:c97c%re1/64 scopeid 0x2 inet6 2001:470:ecba:3::5/64 media: Ethernet autoselect (1000baseT ) status: active nd6 options=3D21 $ --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJf8pp/AAoJEA2k8lmbXsY0YxcIALdh1DbbxKEHbGnNOe0q4Pdc q7G9MQXIacuax8cI3QXuJ21BPREtwIySJ+1kK4E8cZJO2rZRtZDixCTa5z92Wl0X O9KFsjozKha/LU/nshp2fuF+3qilLbvASF1YiEg4vQ5NCeN/IMXz8eVMNrxiilcC 7ezrhMnrS4KKlfE6OGGp/OzAmGT3jbGpE4SG3/myhxE8PfjdB07pWpJOFI8KQoFL rOp4oYj062APE46afjoXK0qeenY9T2xFv2V/RVa61QRhleDOiWItIWmpIK5BDtzQ KL6zjwJQTQllyyEqFDHSV9zpQp3bfe/auxeIVDuFGRvzl+W0d3WpLLJpAb+iWfE= =wiv4 -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- From owner-freebsd-net@freebsd.org Mon Jan 4 14:17:26 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5F8DC4D7806; Mon, 4 Jan 2021 14:17:26 +0000 (UTC) (envelope-from lutz@donnerhacke.de) Received: from annwfn.iks-jena.de (annwfn.iks-jena.de [IPv6:2001:4bd8::19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8d4P2qQ8z4m9B; Mon, 4 Jan 2021 14:17:25 +0000 (UTC) (envelope-from lutz@donnerhacke.de) X-SMTP-Sender: IPv6:2001:4bd8:59:1:172:27:107:102 Received: from lyoness (lyoness.intern.iks-service.de [IPv6:2001:4bd8:59:1:172:27:107:102]) by annwfn.iks-jena.de (8.15.2/8.15.2) with ESMTP id 104EHF1b008866; Mon, 4 Jan 2021 15:17:15 +0100 From: "Lutz Donnerhacke" To: , Subject: Re: FreeBSD does not reply to IPv6 Neighbor Solicitations Date: Mon, 4 Jan 2021 15:17:15 +0100 Message-ID: <006901d6e2a4$4d9d80d0$e8d88270$@donnerhacke.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdbipEt5CzHJZB3OSuCksP/fxhvDNQ== Content-Language: de X-Rspamd-Queue-Id: 4D8d4P2qQ8z4m9B X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of lutz@donnerhacke.de has no SPF policy when checking 2001:4bd8::19) smtp.mailfrom=lutz@donnerhacke.de X-Spamd-Result: default: False [-1.06 / 15.00]; FAKE_REPLY(1.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:4bd8::19:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[donnerhacke.de]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[2001:4bd8::19:from:127.0.2.255]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_SHORT(-0.96)[-0.962]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15725, ipnet:2001:4bd8::/29, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions,freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2021 14:17:26 -0000 > Victor Sudakov wrote: > > Dear Colleagues, > > > > Why could it be that a FreeBSD 12.2 host does not reply to ICMPv6 > > Neighbor Solicitations from the router? > > Any ideas please? Thank you for pointing this out. I do have an similar effect, after upgrading, and you point me to a good direction. I'll investigate and report back. Lutz Donnerhacke From owner-freebsd-net@freebsd.org Mon Jan 4 14:22:21 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AE7704D7944; Mon, 4 Jan 2021 14:22:21 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:13b:39f::9f:25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8dB46ys7z4mfB; Mon, 4 Jan 2021 14:22:20 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 310B18D4A171; Mon, 4 Jan 2021 14:22:13 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id EC9ECE70817; Mon, 4 Jan 2021 14:22:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id mz0MVxBZearz; Mon, 4 Jan 2021 14:22:10 +0000 (UTC) Received: from [127.0.0.1] (unknown [IPv6:fde9:577b:c1a9:4902:4468:2254:643d:7393]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id BD84DE707B3; Mon, 4 Jan 2021 14:22:10 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Lutz Donnerhacke" Cc: freebsd-questions@freebsd.org, freebsd-net@freebsd.org Subject: Re: FreeBSD does not reply to IPv6 Neighbor Solicitations Date: Mon, 04 Jan 2021 14:22:09 +0000 X-Mailer: MailMate (2.0BETAr6151) Message-ID: In-Reply-To: <006901d6e2a4$4d9d80d0$e8d88270$@donnerhacke.de> References: <006901d6e2a4$4d9d80d0$e8d88270$@donnerhacke.de> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4D8dB46ys7z4mfB X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of bzeeb-lists@lists.zabbadoz.net designates 2a01:4f8:13b:39f::9f:25 as permitted sender) smtp.mailfrom=bzeeb-lists@lists.zabbadoz.net X-Spamd-Result: default: False [-3.30 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:13b:39f::9f:25]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[zabbadoz.net]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:4f8:13b:39f::9f:25:from]; SPAMHAUS_ZRD(0.00)[2a01:4f8:13b:39f::9f:25:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net,freebsd-questions] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2021 14:22:21 -0000 On 4 Jan 2021, at 14:17, Lutz Donnerhacke wrote: >> Victor Sudakov wrote: >>> Dear Colleagues, >>> >>> Why could it be that a FreeBSD 12.2 host does not reply to ICMPv6 >>> Neighbor Solicitations from the router? >> >> Any ideas please? > > Thank you for pointing this out. > I do have an similar effect, after upgrading, and you point me to a > good > direction. > I'll investigate and report back. I’d start by checking netstat -s -p icmp6 and netstat -s -p ip6 for any suspicious counter updates. Another thing to do might be to turn on nd6 log/debugging by sysctl (sysctl net.inet6.icmp6.nd6_debug=0xff should do it) and keep an eye on the kernel messages. /bz From owner-freebsd-net@freebsd.org Mon Jan 4 17:25:10 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 74FFC4DD73B for ; Mon, 4 Jan 2021 17:25:10 +0000 (UTC) (envelope-from lutz@donnerhacke.de) Received: from annwfn.iks-jena.de (annwfn.iks-jena.de [IPv6:2001:4bd8::19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8jF1315Zz3LX8 for ; Mon, 4 Jan 2021 17:25:09 +0000 (UTC) (envelope-from lutz@donnerhacke.de) X-SMTP-Sender: IPv6:2001:4bd8:59:1:172:27:107:102 Received: from lyoness (lyoness.intern.iks-service.de [IPv6:2001:4bd8:59:1:172:27:107:102]) by annwfn.iks-jena.de (8.15.2/8.15.2) with ESMTP id 104HP5Ea009845 for ; Mon, 4 Jan 2021 18:25:05 +0100 From: "Lutz Donnerhacke" To: References: <006901d6e2a4$4d9d80d0$e8d88270$@donnerhacke.de> In-Reply-To: Subject: AW: FreeBSD does not reply to IPv6 Neighbor Solicitations Date: Mon, 4 Jan 2021 18:25:05 +0100 Message-ID: <007601d6e2be$8acf3fb0$a06dbf10$@donnerhacke.de> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQKdsAdNuM7agENX1pc5a2U+PX7kzwK+XXWjqHQo1EA= Content-Language: de X-Rspamd-Queue-Id: 4D8jF1315Zz3LX8 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of lutz@donnerhacke.de has no SPF policy when checking 2001:4bd8::19) smtp.mailfrom=lutz@donnerhacke.de X-Spamd-Result: default: False [-2.10 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:4bd8::19:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:4bd8::19:from:127.0.2.255]; DMARC_NA(0.00)[donnerhacke.de]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15725, ipnet:2001:4bd8::/29, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2021 17:25:10 -0000 > I=E2=80=99d start by checking netstat -s -p icmp6 and netstat -s -p = ip6 for > any suspicious counter updates. Great idea. It points me tot he most stupid error I could make. Instead of=20 ifconfig_lagg140_aliases=3D"inet6 2a01:75c0:1000:140::/64 anycast" I wrote ifconfig_vlan140_aliases=3D"inet6 2a01:75c0:1000:140::/64 anycast" so the IPv6 address was not set after reboot. This fails to get noticed, due the long lifetime of the announced = prefix. (the error has been visible since a few days only, I had no time to = investigate) So I can confess, plain 12.2-STABLE is no broken. From owner-freebsd-net@freebsd.org Tue Jan 5 03:15:37 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 32DE94D6296; Tue, 5 Jan 2021 03:15:37 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8yLJ1Mskz4sWr; Tue, 5 Jan 2021 03:15:35 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=amkD06qukVsCVaPNeS0YSSAhVVMp1Q+3NjDBRkGDvH8=; b=gQVIZh5RLBsk6+2zK1QNnwF2BJ yz3i6nkyiPsDHkhN8tLMj6n0BfFF+LdLENG5ZGAI1Ic1Y4lrg9vz+lgg97vOx1d2l8On9C+UcLBq9 fZJxTH8rsnnoRS/CD9DX6agzhPj2Vdr2T+dP5oSrpjA0dFF8ThZd2AsAALX3vqvNWZ0A=; Received: from vas by admin.sibptus.ru with local (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kwcoi-000OMi-Kg; Tue, 05 Jan 2021 10:15:28 +0700 Date: Tue, 5 Jan 2021 10:15:28 +0700 From: Victor Sudakov To: Paul Mather Cc: freebsd-questions@freebsd.org, freebsd-net@freebsd.org Subject: Re: FreeBSD does not reply to IPv6 Neighbor Solicitations Message-ID: <20210105031528.GA91534@admin.sibptus.ru> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 X-Rspamd-Queue-Id: 4D8yLJ1Mskz4sWr X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=gQVIZh5R; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-6.10 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:19f0:5001:21dc::10:from]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; NEURAL_HAM_LONG(-1.00)[-1.000]; SPAMHAUS_ZRD(0.00)[2001:19f0:5001:21dc::10:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[sibptus.ru:+]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions,freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 03:15:37 -0000 --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Paul Mather wrote: > >>>> Why could it be that a FreeBSD 12.2 host does not reply to ICMPv6 > >>>> Neighbor Solicitations from the router? [dd] > >=20 > > $ ifconfig re1 > > re1: flags=3D8843 metric 0 mtu = 1500 > > options=3D8209b > > ether c4:12:f5:33:c9:7c > > inet 192.168.170.5/24 broadcast 192.168.170.255 > > inet6 fe80::c612:f5ff:fe33:c97c%re1/64 scopeid 0x2 > > inet6 2001:470:ecba:3::5/64 > > media: Ethernet autoselect (1000baseT ) > > status: active > > nd6 options=3D21 >=20 >=20 > I notice your nd6 options do not include ACCEPT_RTADV. Perhaps this > is a reason why your interface is ignoring routing messages? =20 Well, Neighbor Solicitations (ICMPv6 type 135) and Neighbor Advertisements (ICMPv6 type 136) are not exactly routing messages, they are the equivalent of the ARP protocol in IPv6, and AFAIK should work between any two IPv6 nodes to map L3 addresses to L2 addresses, even if there are no routers on the segment. Correct me if I'm wrong. You may be right but then it is certainly a bug. Unfortunately I cannot reproduce the problem with any reliability, this thing works more often than not. > My interface ifconfig shows "nd6 > options=3D23" >=20 > I also use a statically-defined[*] IPv6 address, but include "accept_rtad= v" in the interface definition in /etc/rc.conf. Furthermore, I also set rt= sold_enable=3D"YES" to send router solicitation messages on the interface. This would add one or two autoconfigured global IPv6 addresses to your interface. There is no harm in that, I agree, but it's important to understand if this is a bug and can be reproduced and reported. >=20 > [*] As well as a static IPv6 address I also enable SLAAC to get autoconfi= gured and privacy addresses on the interface. >=20 I see your point, this makes sense, but I would like to try and isolate the problem. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJf89nQAAoJEA2k8lmbXsY0MTIH/2ACBGPPGbBx5Dq2wlx1Bm/c dfo6Q5wWLgpEACDQXaItuF83KQOJgfcK3kUQe2saQzgqj/AbF0WGfuCSDLGOHbjz llssRPz6WKwmLTw1a1UC+Idr3V4dqHxMTSE/tYVVPm0Cm4naf1SyYWlwhpyM1zxf J41o8aUCVoqmagXUBodBfYyrX87C7kbButDR9fheYBBPQmEld+NHfdQZ2RoxPbV6 uMPdvUm/1xUhsztcjiykHsHEc7ASkZBOc3sI4k389KEKdb2Itm24XFwA6f2LxLys 6uWKvmURxx7iQtxa4PI56hB6CdgCRTDYJdi4u1OwNyv+F+yV9Te9kJt+pNXrOIU= =sa6T -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- From owner-freebsd-net@freebsd.org Tue Jan 5 03:20:51 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ACC954D68F5 for ; Tue, 5 Jan 2021 03:20:51 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8ySM1zWFz4t4H for ; Tue, 5 Jan 2021 03:20:50 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=WhyKdv7UsBbAYVP7uVCqxRMN3Ut6RQ9BPIsrHS8sw2Y=; b=KeG0xP0fs6k6R9FM9QQRGcSqNU iubOB1mU8nJ3zr+F96a+MAbSLcuDAKhgatnfYSxiu/5yYZog2pBMJNdo1A+nBsrks3VRP+n8RHlGj qQU1UcnNAOM+crdnmxeBvMfqPYmQO7EIg6bMQ5sm1AWqUD6EUqnB3efGCeqFvFPZjyHM=; Received: from vas by admin.sibptus.ru with local (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kwctt-000OQ4-Vx for freebsd-net@freebsd.org; Tue, 05 Jan 2021 10:20:50 +0700 Date: Tue, 5 Jan 2021 10:20:49 +0700 From: Victor Sudakov To: freebsd-net@freebsd.org Subject: Re: FreeBSD does not reply to IPv6 Neighbor Solicitations Message-ID: <20210105032049.GB91534@admin.sibptus.ru> References: <006901d6e2a4$4d9d80d0$e8d88270$@donnerhacke.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="b5gNqxB1S1yM7hjW" Content-Disposition: inline In-Reply-To: <006901d6e2a4$4d9d80d0$e8d88270$@donnerhacke.de> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 X-Rspamd-Queue-Id: 4D8ySM1zWFz4t4H X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=KeG0xP0f; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-6.10 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:19f0:5001:21dc::10:from]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:19f0:5001:21dc::10:from:127.0.2.255]; DKIM_TRACE(0.00)[sibptus.ru:+]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 03:20:51 -0000 --b5gNqxB1S1yM7hjW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Lutz Donnerhacke wrote: > > Victor Sudakov wrote: > > > Dear Colleagues, > > > > > > Why could it be that a FreeBSD 12.2 host does not reply to ICMPv6 > > > Neighbor Solicitations from the router? > >=20 > > Any ideas please? >=20 > Thank you for pointing this out. > I do have an similar effect, after upgrading, and you point me to a good > direction. > I'll investigate and report back. Problem is, I cannot reproduce it reliably. Sometimes everything "just work= s." Maybe the absence of traffic causes this, I really don't know. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --b5gNqxB1S1yM7hjW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJf89sRAAoJEA2k8lmbXsY0Z8sIAIHzaExzxIzyYCUIk+sfgt61 2EbaN777nKFO9ocqR+xPDNKs0vNiyTBJ1v6jAytj3PDxVIx5AKC3ZjlybX/O+bD+ ZzdZ0+BQXd4mE0N4NuMIdQggswng4n5Fn/6tgJWs++jwu+jv5RGVWWET2kTR6pyJ HeeU7chJhFJQ931QY0Fwi8qLPQO8WF8crEt/gs/rL2RlfvtBaY7mQysCR1uUudf1 A6RYOSmhSZHwxPMLR4DUzd6z9TN2bt0BCwzfVsN4vTEyf3Du3rfVBu3oFFhr4O2p Tv8i5owQwf3Erl0OyqhzykAbnIZ9D7tABExAigb73/hAyZSl5uP7X/2Qv8HBFx8= =ek+c -----END PGP SIGNATURE----- --b5gNqxB1S1yM7hjW-- From owner-freebsd-net@freebsd.org Tue Jan 5 07:02:50 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 250EB4DAE86 for ; Tue, 5 Jan 2021 07:02:50 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: from mail-oi1-x236.google.com (mail-oi1-x236.google.com [IPv6:2607:f8b0:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D93NT32wHz3L45 for ; Tue, 5 Jan 2021 07:02:49 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: by mail-oi1-x236.google.com with SMTP id q205so34975983oig.13 for ; Mon, 04 Jan 2021 23:02:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=+z7hQ/hiUdp73+YSIjwfT4ewYJuVcXMVqpGPulkQxfc=; b=Oi9FQ3iUmbO+peX0Vakt5wYA0dU151lW984AHns+a1kUC281MFKcfd3caY4H1MaC0E jxvwTBSkBEIjohu5mHfebiq14bxfGhl2jmG141WRpibLPExO18P3DKvr1YEOGswt2ZiL XS4zGhpktJzNrrSTZX1R5tV5L4r6umNXDXADVqISLtzFPOw1RNU6Sj7DTTvwdW7zAhKV lSr4TV1e5rwWYSr7CSdIcOlxnx4h9fXkMg8C0BVjquY/Aa81xcrsMfYzYuSelqg1eMPf XyMyCfEGH5og1pvhyrDf0Ajzmu5FeZ4S3nc68NLlVEPKIoseld7qiJFI6fVebyiYfdkM 5mMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+z7hQ/hiUdp73+YSIjwfT4ewYJuVcXMVqpGPulkQxfc=; b=mlwvpLDo9nJnE/SUryMlPsXqw+ijM7sPkGlGoeD1M11/ZGXtJiPxYkxXZCIecRR+Ye JkmGD8H5rKIDQS3CpcjxzWOW+0klnFRBvXmGHx3HK/E7YdI3zE6S3aFQHhcZbRqZxk66 yVvJ4geOQ52i55EjDZiPo7hoSte8PhGP+LP7Dusy1zGowuBXfrE5ShTiXxeitmOP/yVy AATROkjOOMgm95qSvgw8AF1Gt4pn5Msce+d63I4q+VS12jOKRoycNMPwtYUxRo3fhtZQ jW0u3piehagibYCkWzaIAIHt88kfrVbFlMeyMHaf03j87IbYY7b0MGZhQlNB+YeUemFm WVgA== X-Gm-Message-State: AOAM532U5ktljPQFe7PhhLLpS5B1MoKPFy4xhgeMhz6kq/gXF+z2JHfS 2b7KbfTHz+yMOCfbQg5bEAl9OAz5thVWsbZXZrmotehKJe3PiA== X-Google-Smtp-Source: ABdhPJzDUtwmwJ9GaRlXPmuIxIMCP8/10SgYwVicf/NSwyvjnoT7SPHEa2+yybZuQmHxQ5yD4njNSNDhlwwI1dFlPGo= X-Received: by 2002:a54:400e:: with SMTP id x14mr1791202oie.21.1609830168114; Mon, 04 Jan 2021 23:02:48 -0800 (PST) MIME-Version: 1.0 From: Vasily Postnicov Date: Tue, 5 Jan 2021 10:02:37 +0300 Message-ID: Subject: DNS using Name Service Switch module and Casper To: freebsd-net@freebsd.org X-Rspamd-Queue-Id: 4D93NT32wHz3L45 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=Oi9FQ3iU; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamazmazum@gmail.com designates 2607:f8b0:4864:20::236 as permitted sender) smtp.mailfrom=shamazmazum@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::236:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::236:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::236:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 07:02:50 -0000 Hello. I wrote a simple daemon called ZeroDNS which provides functionality similar to multicast DNS, namely it discovers other participating machines over the LAN and stores their hostname and IPv4 address pairs. Here is a NSS module which allows the system to use information from that daemon: https://github.com/shamazmazum/nss-zero-dns You need to modify /etc/nsswitch.conf, changing the line 'hosts: files dns' to 'hosts: files dns zerodns'. It all works on FreeBSD 12.2-RELEASE, but sometimes not on 13.0-CURRENT. For example, ping(8) just blocks when trying to ping a host whose name is resolvable with ZeroDNS. Turns out that programs built with casper support (like ping(8) and some others) stop working with my NSS module (they just block trying to resolve the name). Is there some kind of manual on how to write casper-compatible NSS modules? From owner-freebsd-net@freebsd.org Tue Jan 5 08:20:17 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A015E4DCA77 for ; Tue, 5 Jan 2021 08:20:17 +0000 (UTC) (envelope-from lutz@donnerhacke.de) Received: from annwfn.iks-jena.de (annwfn.iks-jena.de [IPv6:2001:4bd8::19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D955r5hZHz3PqQ for ; Tue, 5 Jan 2021 08:20:16 +0000 (UTC) (envelope-from lutz@donnerhacke.de) X-SMTP-Sender: IPv6:2001:4bd8:59:1:172:27:107:102 Received: from lyoness (lyoness.intern.iks-service.de [IPv6:2001:4bd8:59:1:172:27:107:102]) by annwfn.iks-jena.de (8.15.2/8.15.2) with ESMTP id 1058KCLl029941 for ; Tue, 5 Jan 2021 09:20:12 +0100 From: "Lutz Donnerhacke" To: References: <20210105031528.GA91534@admin.sibptus.ru> In-Reply-To: <20210105031528.GA91534@admin.sibptus.ru> Subject: AW: FreeBSD does not reply to IPv6 Neighbor Solicitations Date: Tue, 5 Jan 2021 09:20:12 +0100 Message-ID: <00a101d6e33b$96edf0c0$c4c9d240$@donnerhacke.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQDbmY3LphJigrQeK8bKIFQJYVZsAAGAW9ZbAuyNYN6r69lB0A== Content-Language: de X-Rspamd-Queue-Id: 4D955r5hZHz3PqQ X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of lutz@donnerhacke.de has no SPF policy when checking 2001:4bd8::19) smtp.mailfrom=lutz@donnerhacke.de X-Spamd-Result: default: False [-1.90 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:4bd8::19:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:4bd8::19:from:127.0.2.255]; DMARC_NA(0.00)[donnerhacke.de]; NEURAL_HAM_SHORT(-0.80)[-0.802]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15725, ipnet:2001:4bd8::/29, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 08:20:17 -0000 Victor Sudakov wrote: > Paul Mather wrote: > > >>>> Why could it be that a FreeBSD 12.2 host does not reply to ICMPv6 > > >>>> Neighbor Solicitations from the router? > > Well, Neighbor Solicitations (ICMPv6 type 135) and Neighbor > Advertisements (ICMPv6 type 136) are not exactly routing messages, they > are the equivalent of the ARP protocol in IPv6, and AFAIK should work > between any two IPv6 nodes to map L3 addresses to L2 addresses, even if > there are no routers on the segment. Correct me if I'm wrong. Correct. > You may be right but then it is certainly a bug. Unfortunately I cannot > reproduce the problem with any reliability, this thing works more often > than not. May you be able to capture the icmp6 traffic of this interface with respect to ND? I'm really interested in seeing, that the box does not respond to a given NS query. There are various reasons, why this may happen, i.e. sender IP in the NS is out of prefix of the target IP. This may happen, if multiple prefixes are added to the interface. Some devices (like Cisco ASA) are very picky on matching source/target IPs. So it might be possible, that the problem is not the the FreeBSD box, but the querying device (Mircotik?) > > My interface ifconfig shows "nd6 > > options=23" [...] > > [*] As well as a static IPv6 address I also enable SLAAC to get > > autoconfigured and privacy addresses on the interface. > > I see your point, this makes sense, but I would like to try and isolate > the problem. There is no problem with neighbour discovery without the ACCEPT_RTADV option. It simply works. # uname -a FreeBSD ... 12.2-STABLE FreeBSD 12.2-STABLE r368820 ENCOLINE-NAT amd64 # ifconfig vlan1111 vlan1111: flags=8843 metric 0 mtu 1500 options=600003 ether 48:df:37:3c:d3:50 inet6 fe80::4adf:37ff:fe3c:d350%vlan1111 prefixlen 64 scopeid 0x1e inet6 2a01:75c0:1000:1111:5:102:160:146 prefixlen 64 inet 5.102.160.146 netmask 0xfffffff0 broadcast 5.102.160.159 groups: vlan vlan: 1111 vlanpcp: 0 parent interface: ixl0 media: Ethernet autoselect (10Gbase-SR ) status: active nd6 options=21 # tcpdump -ni vlan1111 icmp6 | fgrep neighbor tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vlan1111, link-type EN10MB (Ethernet), capture size 262144 bytes 09:06:17.823698 IP6 fe80::50:1111 > 2a01:75c0:1000:1111:5:102:160:146: ICMP6, neighbor solicitation, who has 2a01:75c0:1000:1111:5:102:160:146, length 32 09:06:17.823708 IP6 fe80::4adf:37ff:fe3c:d350 > fe80::50:1111: ICMP6, neighbor advertisement, tgt is 2a01:75c0:1000:1111:5:102:160:146, length 24 09:06:22.782809 IP6 fe80::4adf:37ff:fe3c:d350 > fe80::50:1111: ICMP6, neighbor solicitation, who has fe80::50:1111, length 32 09:06:22.787620 IP6 fe80::50:1111 > fe80::4adf:37ff:fe3c:d350: ICMP6, neighbor advertisement, tgt is fe80::50:1111, length 24 ^C271 packets captured 5149447 packets received by filter 0 packets dropped by kernel So it works in both directions. Please note, that the first NS query is coming from a link-local address and requesting a global IP. This will not always be answered by any device out there (especially if the roles are reversed) From owner-freebsd-net@freebsd.org Tue Jan 5 09:39:30 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E35C04DEC51 for ; Tue, 5 Jan 2021 09:39:30 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4D96sF5k1Fz3k7C for ; Tue, 5 Jan 2021 09:39:29 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from VitComp.local (unknown [95.179.10.25]) by mail.otcnet.ru (Postfix) with ESMTPSA id 0FF259A6C2 for ; Tue, 5 Jan 2021 12:39:22 +0300 (MSK) Subject: Re: 'dropped due to full socket buffers' by SNMP To: freebsd-net@freebsd.org References: <388da9a7-7b89-89b2-54eb-17d0e818c924@otcnet.ru> <4e41c1d2-19bc-0345-0b03-526e4cb785c7@otcnet.ru> <6c780827-e764-8053-356b-a921e0892c15@grosbein.net> <7e51a6be-aea1-51c6-c0bd-10d00c19d5d3@grosbein.net> From: Victor Gamov Message-ID: <888c8e91-c8f2-ad4b-9fcf-64c09432f2d5@otcnet.ru> Date: Tue, 5 Jan 2021 12:39:03 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <7e51a6be-aea1-51c6-c0bd-10d00c19d5d3@grosbein.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: ru Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4D96sF5k1Fz3k7C X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of vit@otcnet.ru designates 194.190.78.3 as permitted sender) smtp.mailfrom=vit@otcnet.ru X-Spamd-Result: default: False [-3.20 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[194.190.78.3:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+a:mail.otcnet.ru]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[194.190.78.3:from:127.0.2.255]; DMARC_NA(0.00)[otcnet.ru]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:50822, ipnet:194.190.78.0/24, country:RU]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net]; RECEIVED_SPAMHAUS_PBL(0.00)[95.179.10.25:received] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 09:39:30 -0000 Hi Eugene! Thanks for your responces. And Happy New Year for everyone! On 01.01.2021 03:19, Eugene Grosbein wrote: > 30.12.2020 23:08, Victor Gamov wrote: > >> As I understand hw.ix.flow_control=3 to allow flow-control for negotiation. >> Real PAUSE setting will be set during negotiation. > > At the moment of congestion. As I understand PAUSE feature negotiated during auto-negotiation process. If flow-control disabled on one side (switch for example) then other side (host) will not to use this feature too. Is it right? >> So where I can find active flow-control setting for host interface? > > Can't check for ix just now, but for em(4) there is sysctl dev.em.0.fc. > It should be similar for ix. I have hw.ix.flow_control=3 (what does is it means ?) and dev.ix.0.fc=3 (and what does is it means?) >>> maybe increase kern.ipc.maxsockbuf and then net.inet.udp.recvspace. >> Eugene, at first message you suppose Host-A (sender) "outgoing link for that UDP packets is congested" >> because this host shows non-zero "dropped due to full socket buffers". >> So is net.inet.udp.recvspace increasing on Host-B (mainly receiver) will be affected for this congestion? > > Can't tell in details without going deep into your setup :-) > You can try it yourself and verify quickly. > >> Or I need to try to increase both kern.ipc.maxsockbuf and net.inet.udp.recvspace on both hosts? > > Tune one that drops UDP. > >> Also how I can check current sockbuf usage? > > netstat -xn Unfortunately it never shoes counters about UDP multicast traffic. I'll increase kern.ipc.maxsockbuf and net.inet.udp.recvspace at next week and write about results. Back to my original question: is it possible to monitor `netstat -n -p udp -f inet -s` counters by SNMP? -- CU, Victor Gamov From owner-freebsd-net@freebsd.org Tue Jan 5 10:46:53 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5AE004E0833 for ; Tue, 5 Jan 2021 10:46:53 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D98M02b0Zz3ngb for ; Tue, 5 Jan 2021 10:46:52 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=7XVswDLX1u1YDYkLTkNb3UTWF2EfB32L2E9HlWfB5Vk=; b=c2BBHjslth7pa0rolk3A5flYR+ aEQ94Ch0obvsfkBYDpXB3MuNVrQ7nn5to8urzG9+ezp26BBh++WDiSMCWcJ/lkuDnbTYqaKUXJc4K T3BxCOqrk//LYi5LSqDTJHF7T4HsTYsqlNl7VKCHN3TPfU7fMxXYr5S19CuhNF6nOvKw=; Received: from vas by admin.sibptus.ru with local (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kwjrW-00025K-Ht; Tue, 05 Jan 2021 17:46:50 +0700 Date: Tue, 5 Jan 2021 17:46:50 +0700 From: Victor Sudakov To: freebsd-net@freebsd.org Cc: Lutz Donnerhacke Subject: Re: FreeBSD does not reply to IPv6 Neighbor Solicitations Message-ID: <20210105104650.GA7688@admin.sibptus.ru> References: <20210105031528.GA91534@admin.sibptus.ru> <00a101d6e33b$96edf0c0$c4c9d240$@donnerhacke.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline In-Reply-To: <00a101d6e33b$96edf0c0$c4c9d240$@donnerhacke.de> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 X-Rspamd-Queue-Id: 4D98M02b0Zz3ngb X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=c2BBHjsl; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-6.10 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:19f0:5001:21dc::10:from]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; SPAMHAUS_ZRD(0.00)[2001:19f0:5001:21dc::10:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[sibptus.ru:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 10:46:53 -0000 --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Lutz Donnerhacke wrote: > Victor Sudakov wrote: > > Paul Mather wrote: > > > >>>> Why could it be that a FreeBSD 12.2 host does not reply to ICMPv6 > > > >>>> Neighbor Solicitations from the router? > >=20 > > Well, Neighbor Solicitations (ICMPv6 type 135) and Neighbor > > Advertisements (ICMPv6 type 136) are not exactly routing messages, they > > are the equivalent of the ARP protocol in IPv6, and AFAIK should work > > between any two IPv6 nodes to map L3 addresses to L2 addresses, even if > > there are no routers on the segment. Correct me if I'm wrong. >=20 > Correct. >=20 > > You may be right but then it is certainly a bug. Unfortunately I cannot > > reproduce the problem with any reliability, this thing works more often > > than not. >=20 > May you be able to capture the icmp6 traffic of this interface with respe= ct > to ND? I'm really interested in seeing, that the box does not respond to a > given NS query. Here you are http://admin.sibptus.ru/~vas/nd1.pcapng >=20 > There are various reasons, why this may happen, i.e. sender IP in the NS = is > out of prefix of the target IP. This may happen, if multiple prefixes are > added to the interface. Some devices (like Cisco ASA) are very picky on > matching source/target IPs. So it might be possible, that the problem is = not > the the FreeBSD box, but the querying device (Mircotik?) Maybe. The Mikrotik sends neighbor solicitations from a link-local address, as you can see in the packet dump above. Is this correct behavior? >=20 > There is no problem with neighbour discovery without the ACCEPT_RTADV > option. It simply works. I thought as much. > So it works in both directions. > Please note, that the first NS query is coming from a link-local address = and > requesting a global IP. This will not always be answered by any device out > there (especially if the roles are reversed) Hmm, this is an interesting observation, please see the packet dump above, what do you say? And what do standards say, what should be the source address of a neighbor solicitation when the target address is a global address? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --envbJBWh7q8WU6mo Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJf9EOaAAoJEA2k8lmbXsY0Cr4H/0UOV1Cgw4rCb8wCzxcKBkZg qtgcZZODUJXr7lgohIDpH2KJsg7/ED4AO6lpEhtPd4wlVFYAtdQ3y3Oa95njQDIH 1J2JHH8c8Nwcd6ziK/Ywcde0MXvhzWG5dX9pkZhph5jVsgoWvL+BXIF3c2wLVHxA d5HrDqcfk17uemKq+57utcDt4ZQotaLy7a9vDjGFMi1uRnwi3oc7m/iHh3Yrf41A hkHN32ja/I2y4zhoMsFJl7vwAdxT2RYSKFRha/fh5QcI3D6F8y0VT5vNor38SaAA C2erPmfN9Ofud5Y4OOAE3m4HsX6SQyQaj3GOb7QFFm+NpxLj7Wjhv/MhpZNJSf4= =ENMV -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo-- From owner-freebsd-net@freebsd.org Tue Jan 5 11:58:27 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 07D5F4E298E for ; Tue, 5 Jan 2021 11:58:27 +0000 (UTC) (envelope-from lutz@donnerhacke.de) Received: from annwfn.iks-jena.de (annwfn.iks-jena.de [IPv6:2001:4bd8::19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D99xY701xz3sHw for ; Tue, 5 Jan 2021 11:58:25 +0000 (UTC) (envelope-from lutz@donnerhacke.de) X-SMTP-Sender: IPv6:2001:4bd8:59:1:172:27:107:102 Received: from lyoness (lyoness.intern.iks-service.de [IPv6:2001:4bd8:59:1:172:27:107:102]) by annwfn.iks-jena.de (8.15.2/8.15.2) with ESMTP id 105BwN6H000480 for ; Tue, 5 Jan 2021 12:58:23 +0100 From: "Lutz Donnerhacke" To: References: <20210105031528.GA91534@admin.sibptus.ru> <00a101d6e33b$96edf0c0$c4c9d240$@donnerhacke.de> <20210105104650.GA7688@admin.sibptus.ru> In-Reply-To: <20210105104650.GA7688@admin.sibptus.ru> Subject: AW: FreeBSD does not reply to IPv6 Neighbor Solicitations Date: Tue, 5 Jan 2021 12:58:23 +0100 Message-ID: <00b601d6e35a$115a4a20$340ede60$@donnerhacke.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQDbmY3LphJigrQeK8bKIFQJYVZsAAGAW9ZbAuyNYN4BOBzdVgLEnSQcq8wyugA= Content-Language: de X-Rspamd-Queue-Id: 4D99xY701xz3sHw X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of lutz@donnerhacke.de has no SPF policy when checking 2001:4bd8::19) smtp.mailfrom=lutz@donnerhacke.de X-Spamd-Result: default: False [-2.10 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:4bd8::19:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:4bd8::19:from:127.0.2.255]; DMARC_NA(0.00)[donnerhacke.de]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15725, ipnet:2001:4bd8::/29, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 11:58:27 -0000 > > May you be able to capture the icmp6 traffic of this interface with > > respect to ND? I'm really interested in seeing, that the box does > > not respond to a given NS query. > > Here you are http://admin.sibptus.ru/~vas/nd1.pcapng The device, where the capture was taken does not respond tot he NS packet. This might be caused by: a) the device has a different configured IP address, than requested b) the network card does not listen to the multicast group, which is used by the request (you see it only due to the promisc mode of the capture). But this is unlikely (due to the promisc mode) c) your system is broken From owner-freebsd-net@freebsd.org Tue Jan 5 14:43:18 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5E8974E6919 for ; Tue, 5 Jan 2021 14:43:18 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9Fbn4ynHz4XdQ for ; Tue, 5 Jan 2021 14:43:17 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by mail-qv1-xf2c.google.com with SMTP id a4so14704654qvd.12 for ; Tue, 05 Jan 2021 06:43:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=7P4WU2NfG90rIUGnSgtrhlASVN/NqrWbgmdJApC1WD8=; b=ejniEdY0p740wMa/Ger6q2Y6YdRc2hrQZKvYCn4Z6M9HCY2y6lvMeoFY5hu67NWigW EnkSlfQJH0vqyXq6ZVOw0mOSHIFhX1IPE3yiEYlg09XPHsDH9yaI3h0Cvq3lKU8Wz7QB t/25NH/zVg9jcnhSVRs0tuKc00GzN0uOQTK9RprFNCnZSL+/E5nUfhuQFg+ZchlZYdjo tXmyTpijaUYHSV23E2gQM9irTvPR9zml5IrIVIdDZUUMhCeye1MSWz9lwWXLUKN0rIKZ gOS4a2YhaUgLvPKIvOo6LgC+D0FweKmw099zKqjTwSqDyaPwlvrlOnXczlyI/NHdH+7U 1Huw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=7P4WU2NfG90rIUGnSgtrhlASVN/NqrWbgmdJApC1WD8=; b=lZFFQ1WE4uufh17v+nNvP68tkj0bw7bObhvLHiegTS2xj67g4D/NZskCREdpGd/T7x y2GhiWqhJrdUZJFZfghiNqgZzn+p21XlGAj3sP/QIPVho6Itv7EPVFMUaaXvXWIzijG6 KQZfhcD9pqXa6rQbujQra+Tc1p6zSjyL9rVibafJP40KOkWWRXHV9li9WFe3d9fMc8nR pMoh2DTVtQmQyj8auXbyBFEE+nKgyIyy4ts+a+GqQmW39hZS7ovioBwOwYs0eER0MaU+ IzO+x71ERZYIgA24yGfrHrVs1wSKVvBQJ56XiuTnlOyUrhZJLAtCixrzW5cI+7M2b7VV OEKw== X-Gm-Message-State: AOAM530wQSj2vWOzog5zPpTBN/5vhmKK15aGExS3JdZk0Fk8Nyfv4ZVm Q+zgnlpG0RIVp/ZPULGilvE= X-Google-Smtp-Source: ABdhPJyM9YJeQh6e6gi2Hukfc7+5MUYs86y26Xhp8kFGS6uDr5UWFSE6+SFRjILdb6sBoW9uxiv82Q== X-Received: by 2002:a0c:a5a5:: with SMTP id z34mr81132937qvz.59.1609857796751; Tue, 05 Jan 2021 06:43:16 -0800 (PST) Received: from raichu ([142.126.164.150]) by smtp.gmail.com with ESMTPSA id d123sm32235qke.95.2021.01.05.06.43.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Jan 2021 06:43:16 -0800 (PST) Sender: Mark Johnston Date: Tue, 5 Jan 2021 09:43:14 -0500 From: Mark Johnston To: Vasily Postnicov Cc: freebsd-net@freebsd.org Subject: Re: DNS using Name Service Switch module and Casper Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4D9Fbn4ynHz4XdQ X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=ejniEdY0; dmarc=none; spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates 2607:f8b0:4864:20::f2c as permitted sender) smtp.mailfrom=markjdb@gmail.com X-Spamd-Result: default: False [-2.70 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FREEMAIL_TO(0.00)[gmail.com]; FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::f2c:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::f2c:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f2c:from]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 14:43:18 -0000 On Tue, Jan 05, 2021 at 10:02:37AM +0300, Vasily Postnicov wrote: > Hello. I wrote a simple daemon called ZeroDNS which provides functionality > similar to multicast DNS, namely it discovers other participating machines > over the LAN and stores their hostname and IPv4 address pairs. > > Here is a NSS module which allows the system to use information from that > daemon: > https://github.com/shamazmazum/nss-zero-dns > > You need to modify /etc/nsswitch.conf, changing the line 'hosts: files dns' > to 'hosts: files dns zerodns'. > > It all works on FreeBSD 12.2-RELEASE, but sometimes not on 13.0-CURRENT. > For example, ping(8) just blocks when trying to ping a host whose name is > resolvable with ZeroDNS. Turns out that programs built with casper support > (like ping(8) and some others) stop working with my NSS module (they just > block trying to resolve the name). Presumably it's the casper process (i.e., cap_dns) that uses your module? If the main ping process is blocked trying to resolve a name, it's waiting for the cap_dns process - where exactly is it getting stuck? > Is there some kind of manual on how to write casper-compatible NSS modules? From owner-freebsd-net@freebsd.org Tue Jan 5 14:49:21 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A7AA84E6AB0 for ; Tue, 5 Jan 2021 14:49:21 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9Fkm6jQ8z4Y4k for ; Tue, 5 Jan 2021 14:49:20 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=uGaNfA5rPZgmJ/PGKLDEOnGCyKJWWJVPnH8EWkoNXzg=; b=MIk12Ou7PBdxKosYw22YQLlKSm NvDK0GQsw3jBRMvORjAiqnXtWzAn+RsjIQdb/EqvKuzhm9fvXEUzTwKr93oXP1pqBdL+tI88CpnZQ /xZJ9HhrwPcrgdy3pbImbrGk0zchh71219kKfnfNyKgUxIte6+sfXMceT+sVEq8nkZ64=; Received: from vas by admin.sibptus.ru with local (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kwneA-0003ue-QL; Tue, 05 Jan 2021 21:49:18 +0700 Date: Tue, 5 Jan 2021 21:49:18 +0700 From: Victor Sudakov To: Lutz Donnerhacke Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD does not reply to IPv6 Neighbor Solicitations Message-ID: <20210105144918.GA14838@admin.sibptus.ru> References: <20210105031528.GA91534@admin.sibptus.ru> <00a101d6e33b$96edf0c0$c4c9d240$@donnerhacke.de> <20210105104650.GA7688@admin.sibptus.ru> <00b601d6e35a$115a4a20$340ede60$@donnerhacke.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline In-Reply-To: <00b601d6e35a$115a4a20$340ede60$@donnerhacke.de> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 X-Rspamd-Queue-Id: 4D9Fkm6jQ8z4Y4k X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=MIk12Ou7; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-6.10 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:19f0:5001:21dc::10:from]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; SPAMHAUS_ZRD(0.00)[2001:19f0:5001:21dc::10:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[sibptus.ru:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 14:49:21 -0000 --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Lutz Donnerhacke wrote: > > > May you be able to capture the icmp6 traffic of this interface with > > > respect to ND? I'm really interested in seeing, that the box does > > > not respond to a given NS query. > >=20 > > Here you are http://admin.sibptus.ru/~vas/nd1.pcapng >=20 > The device, where the capture was taken does not respond to the NS packet. So your interpretation agrees with mine, that's great. > This might be caused by: > a) the device has a different configured IP address, than requested I have already published the output of `ifconfig re1`, here it is again, do you think anything important is missing? This is the very interface where the capture was taken: $ ifconfig re1 re1: flags=3D8843 metric 0 mtu 1500 options=3D8209b ether c4:12:f5:33:c9:7c inet 192.168.170.5/24 broadcast 192.168.170.255 inet6 fe80::c612:f5ff:fe33:c97c%re1/64 scopeid 0x2 inet6 2001:470:ecba:3::5/64 media: Ethernet autoselect (1000baseT ) status: active nd6 options=3D21 $ > b) the network card does not listen to the multicast group, which is > used by the request=20 Why could that be? Hardware problem or software/FreeBSD glitch? > (you see it only due to the promisc mode of the > capture). But this is unlikely (due to the promisc mode) > c) your system is broken Very likely. That's why I'm here looking for advice and enlightenment. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --opJtzjQTFsWo+cga Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJf9HxuAAoJEA2k8lmbXsY0QRcH/2EIH3qFXfZUzLY9Udy53LmT uRnwpNQVVhgHZG/RrPTXoqn/ecpza7E2rRGvv7VFmPcShZ7QTeEto8nW3hRmjkRf 1ex6QurJ9CYrD1hs8VSJv/Auim8owIRHFJEA1pCt5eOCRmwtvAN+vkDE+MlvPHN8 KKI/dvrtelQmV3sG+M4pY5zYhTW3t3UcX0S4xYwARFs0EFBqTLRNrApeoAVYAKhc q+EBZ0cC5kwmSNWESm17K8dkDAPW+cX1T31TbCOK2CsjTowhFtEJtyFLcGpx0dzt w0T4QnG4FUBaImj7LiaiUgXOcdXwPMJ7//ng4y2ZbFzuq/brO3EDoYgY7STFqPw= =mE77 -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- From owner-freebsd-net@freebsd.org Tue Jan 5 16:46:51 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A3E744C2705 for ; Tue, 5 Jan 2021 16:46:51 +0000 (UTC) (envelope-from lutz@donnerhacke.de) Received: from annwfn.iks-jena.de (annwfn.iks-jena.de [IPv6:2001:4bd8::19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9JLL38Jcz4k49 for ; Tue, 5 Jan 2021 16:46:50 +0000 (UTC) (envelope-from lutz@donnerhacke.de) X-SMTP-Sender: IPv6:2001:4bd8:59:1:64a1:a293:f4e:9d3 Received: from lyoness ([IPv6:2001:4bd8:59:1:64a1:a293:f4e:9d3]) by annwfn.iks-jena.de (8.15.2/8.15.2) with ESMTP id 105GkmlY013773 for ; Tue, 5 Jan 2021 17:46:48 +0100 From: "Lutz Donnerhacke" To: Subject: AW: FreeBSD does not reply to IPv6 Neighbor SolicitationsNUD Date: Tue, 5 Jan 2021 17:46:48 +0100 Message-ID: <00d901d6e382$5c3db590$14b920b0$@donnerhacke.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdbjglswmtBQ8/alSXqKdVD9mwPjyg== Content-Language: de X-Rspamd-Queue-Id: 4D9JLL38Jcz4k49 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of lutz@donnerhacke.de has no SPF policy when checking 2001:4bd8::19) smtp.mailfrom=lutz@donnerhacke.de X-Spamd-Result: default: False [-2.00 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:4bd8::19:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:4bd8::19:from:127.0.2.255]; DMARC_NA(0.00)[donnerhacke.de]; NEURAL_HAM_SHORT(-0.90)[-0.895]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15725, ipnet:2001:4bd8::/29, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 16:46:51 -0000 > $ ifconfig re1 > re1: flags=8843 metric 0 mtu 1500 > options=8209b > ether c4:12:f5:33:c9:7c > inet 192.168.170.5/24 broadcast 192.168.170.255 > inet6 fe80::c612:f5ff:fe33:c97c%re1/64 scopeid 0x2 > inet6 2001:470:ecba:3::5/64 > media: Ethernet autoselect (1000baseT ) > status: active > nd6 options=21 There is another possibility: The address could be in a tentative or duplicate state. In such a state the device SHOULD/MUST NOT respond to solicitation messages. This can be caused by a "proxy arp/nd" device, which responds to an address in the local neighbour cache with its own solication message. It might be even a loop. We had such cases in the past, so that the device does not activate the IPv6 address without disabling the NUD (was a windows server). For fixed addresses it should be save to disable the flag. But this state should be reported by ifconfig. So, did you try the latest stable? From owner-freebsd-net@freebsd.org Wed Jan 6 03:19:18 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4FE5A4DB83A for ; Wed, 6 Jan 2021 03:19:18 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9ZN51JVmz4Yv5 for ; Wed, 6 Jan 2021 03:19:16 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=I2uCPKXI05/mpC9SMm/8mohVLX6SFEAc5alLMshZFhw=; b=bmv8UgajFDG+SnuBvyejBX3m0i JTx0loQiwBXborc0ZoRKeefk40MLDA+Pp0zP7iscc8NSEgELec51ykFy5akuK+00ROf2HKgnSCmY9 r2Ev9/uhSLad5QxmW97lL3lDogLnJbl0Hqivk3XhcSO0vmxvxPylmAujN5HX3fulfZOA=; Received: from vas by admin.sibptus.ru with local (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kwzLp-000AMW-42 for freebsd-net@freebsd.org; Wed, 06 Jan 2021 10:19:09 +0700 Date: Wed, 6 Jan 2021 10:19:09 +0700 From: Victor Sudakov To: freebsd-net@freebsd.org Subject: Re: FreeBSD does not reply to IPv6 Neighbor SolicitationsNUD Message-ID: <20210106031909.GA39200@admin.sibptus.ru> References: <00d901d6e382$5c3db590$14b920b0$@donnerhacke.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline In-Reply-To: <00d901d6e382$5c3db590$14b920b0$@donnerhacke.de> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 X-Rspamd-Queue-Id: 4D9ZN51JVmz4Yv5 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=bmv8Ugaj; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-6.10 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:19f0:5001:21dc::10:from]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:19f0:5001:21dc::10:from:127.0.2.255]; DKIM_TRACE(0.00)[sibptus.ru:+]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; NEURAL_HAM_SHORT(-1.00)[-0.999]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2021 03:19:18 -0000 --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Lutz Donnerhacke wrote: > > $ ifconfig re1 > > re1: flags=3D8843 metric 0 mtu = 1500 > > > options=3D8209b NKSTATE> > > ether c4:12:f5:33:c9:7c > > inet 192.168.170.5/24 broadcast 192.168.170.255 > > inet6 fe80::c612:f5ff:fe33:c97c%re1/64 scopeid 0x2 > > inet6 2001:470:ecba:3::5/64 > > media: Ethernet autoselect (1000baseT ) > > status: active > > nd6 options=3D21 >=20 > There is another possibility: The address could be in a tentative or > duplicate state. > In such a state the device SHOULD/MUST NOT respond to solicitation messag= es. >=20 > This can be caused by a "proxy arp/nd" device, which responds to an addre= ss > in > the local neighbour cache with its own solication message. It might be ev= en > a loop. > We had such cases in the past, so that the device does not activate the I= Pv6 > address without disabling the NUD (was a windows server). For fixed > addresses it > should be save to disable the flag. >=20 > But this state should be reported by ifconfig. I expect it should. >=20 > So, did you try the latest stable? Not yet.=20 When the situation occurs again, I'll turn on net.inet6.icmp6.nd6_debug=3D0xff as Bjoern A. Zeeb has suggested, maybe I'll see something useful. Then I'll think of updating the system. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJf9SwtAAoJEA2k8lmbXsY0VTUIAKOdNyw0ZAby8jPwvOUMmdCg ICCChOz1PjorVJZiNtf3yGWitswYjXu5kNo60wrltr4LC1XWdICKgKTOUkAuDNPb WDHp7GqtPz2maoFPZOPQsL3M6fLXiO8YLDy9Y7PCIga6uKhMjPGBMnWZnT0+BZ5T 4UiJw5HTLsc0amR+ykIdOe7vzQ0STB5mckq6i8JYKCr6XD4Vl08ZJSTcB3GbIEiG SzCeGTzgrotDx7ED13oUS/0exsPuRM2jTOvnZ3BUx3wDrCd9wTgiZXcWznBS8Yyi ep5KMubXvNcjKQVT+ljay8UNyKhjVsJgJQCAeNEETiZA4pQYpJlBAHXmk9xvJuA= =GiMJ -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV-- From owner-freebsd-net@freebsd.org Wed Jan 6 16:08:27 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CB1104D57EC for ; Wed, 6 Jan 2021 16:08:27 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9vRZ6l1xz4Vqt; Wed, 6 Jan 2021 16:08:26 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: by mail-oi1-x235.google.com with SMTP id l200so3912768oig.9; Wed, 06 Jan 2021 08:08:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZfHzRkoRbCsAnA26zAknvTh+jyyaIThGXbm3bAnLCak=; b=TOrS4FiVcEA0RU7V3z4iZhRtaPsdCCMa+Wu+CYqA+UfVRXLMdnkxNpJ9Ot5mzorUqP s2sj5Sy6143prAi1tKq4xOjDilVfMCD6RND/IqTNlm609aDgrzOzEmKewzf14GyImzK3 4MjhUMAYjTPLP4ORO/4DEQkwObWkmYi6Xr+PLsoVUDU5BnBbGiF2ANZY/Wux9qxVf4pw 9FsxiC1ns8gzwTNYZtAej76vX0pB7lTtSv4LYz5ZqWMn/9H+QPsL7FSvciFQ92X1dSom yetRocVp8osJmJHntIowLgK08miWNpuWCYcIR5/Jp/aYULTv+yrYkuS+kzuJAib2aYGx y+8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZfHzRkoRbCsAnA26zAknvTh+jyyaIThGXbm3bAnLCak=; b=rM1D5w0htp2vsuxyPuW7DhpqdlqWGCkJAfHQ+jay+2r42fj5pgObbUv5LjvQPF/5Yr HkYC3wnvmNwB1lme0/BeZRMRtrkUPjvNZNQvqdVoNwjiOgkLCmK1xi4rq/lYR92N5HZ6 0uURf4vGCZJ00u9xraE4iXPD3ftLTEyL75EJycG45c1GH/DuIe+TnvSofLqIOJljf2Cg RYk1h65o9NP1p9cQINoitlQ+mXsurBGpxprhjU0chyJtZCqQqYaRLmm++RAPoSZCoA/8 0IfuvXWHItCFSoP/uAoSaOXPO+7aBQOHxI4TmwEoi/N7RRsKF/FmCV4KuSviDhueUMwS Gjaw== X-Gm-Message-State: AOAM530lf19v4z7ADXE1QAK6x2GSxZrLsWGF7e8ZtcMFO5PlTKStTxYT CHFBn2JMAGpcyBBJRDPZCTpXZK7+Tia/6jWOMRY+FWklCtu2WQ== X-Google-Smtp-Source: ABdhPJztlf2s9cMudnRbZKj4Y0NmyxsObLbxVq4g2FkoBfinnSloPjAUIovW9fZuSFHBNQrz++T9fQk4odzVTGn+JMk= X-Received: by 2002:aca:5589:: with SMTP id j131mr3736679oib.140.1609949305499; Wed, 06 Jan 2021 08:08:25 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Vasily Postnicov Date: Wed, 6 Jan 2021 19:08:14 +0300 Message-ID: Subject: Re: DNS using Name Service Switch module and Casper To: Mark Johnston Cc: freebsd-net@freebsd.org X-Rspamd-Queue-Id: 4D9vRZ6l1xz4Vqt X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=TOrS4FiV; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamazmazum@gmail.com designates 2607:f8b0:4864:20::235 as permitted sender) smtp.mailfrom=shamazmazum@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::235:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::235:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::235:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2021 16:08:27 -0000 That's what I found. At first, ping calls cap_init() in capdns_setup(). cap_init() forks a process, then the parent returns and the child calls casper_main_loop(). The child and the parent both have a socket to communicate. casper_main_loop() calls zygote_init() and that one blocks on fork(). I do not know how it could be. How can fork() block? The parent process later calls cap_service_open() and that function calls cap_xfer_nvlist(). Because the child process is stuck somewhere in zygote_init() it never sends an nvlist back. So ping blocks. All this is figured out by inserting printf()'s. LLDB refuses to run ping with 'error: Child exec failed'. =D0=B2=D1=82, 5 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 17:43, Mark Johnsto= n : > On Tue, Jan 05, 2021 at 10:02:37AM +0300, Vasily Postnicov wrote: > > Hello. I wrote a simple daemon called ZeroDNS which provides > functionality > > similar to multicast DNS, namely it discovers other participating > machines > > over the LAN and stores their hostname and IPv4 address pairs. > > > > Here is a NSS module which allows the system to use information from th= at > > daemon: > > https://github.com/shamazmazum/nss-zero-dns > > > > You need to modify /etc/nsswitch.conf, changing the line 'hosts: files > dns' > > to 'hosts: files dns zerodns'. > > > > It all works on FreeBSD 12.2-RELEASE, but sometimes not on 13.0-CURRENT= . > > For example, ping(8) just blocks when trying to ping a host whose name = is > > resolvable with ZeroDNS. Turns out that programs built with casper > support > > (like ping(8) and some others) stop working with my NSS module (they ju= st > > block trying to resolve the name). > > Presumably it's the casper process (i.e., cap_dns) that uses your > module? If the main ping process is blocked trying to resolve a name, > it's waiting for the cap_dns process - where exactly is it getting > stuck? > > > Is there some kind of manual on how to write casper-compatible NSS > modules? > From owner-freebsd-net@freebsd.org Fri Jan 8 15:45:45 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C7CE44CD89B for ; Fri, 8 Jan 2021 15:45:45 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DC6rT107jz4Xk4 for ; Fri, 8 Jan 2021 15:45:44 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by mail-qv1-xf36.google.com with SMTP id j18so4462668qvu.3 for ; Fri, 08 Jan 2021 07:45:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=fjlC2xUTUl9SCVmhVmaPVfrclmJyga+qJcn65mvI89Y=; b=sVB8iRh4UIiRIHmLP6GcvtdynDuPnDA8vC+nRzcSNCkVy/WWbLW4qdW38rAqXczQnE bY3Pw33Rl0FIdfWDSBTKPNQec73tBxR6zYREVxgSAXVT13MgWic6BLa/UnZuqbOHfaIT S0TNSZD/5JXC6rzzWEKpytXf8KlSn2riN5W7HLe7oIcVXKh2weDL2gGIbQ/MpVrYAOJm 9pohemgsiIG2gNGy9teG0/jZNioJDkLiyZI+adrHb0bgXQVLn3GCHU4kKVL6UMk7TSA0 1BltDFajeR4Yabjdb05VIAzjhllqXThta+edIQOSG3zfoTL3tGiJJkzTP1bZa904vIQ3 hrEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition :content-transfer-encoding:in-reply-to; bh=fjlC2xUTUl9SCVmhVmaPVfrclmJyga+qJcn65mvI89Y=; b=ZFtOvzxH5v0BUfVQZXnwvswGRif1hTz25Bg8R8HO4GHomAe6Zi9dxjYWaZ+neywENG fECWbDkj/pswzt0gZcb5SHuk5B6BjRhjAu2I6wIaf7mHe7HuhrBF+N/AYOT8MQV4QHnC aRljgpgryLVHCjSWjgbGarz+SOpBQb397yNlCu62KbhmexYcXYw8dDsnFRZVFw3opKqQ VG9ikIdCYUng5wb7jVb02vKZIPeOQj7ZI90OjB7OfAGcWN8bNBZtuEIopI0B5+lhoNw2 gFkpyUOx/Kvp0NAkybNQKa8ZmXXapKfQ1eLhKgsWQRkxOLcSXdwigBAxn/G+s77ZIXbq JGWw== X-Gm-Message-State: AOAM532vdqbvpAvrwpqntF9vjgCnySdEPwoPIBenqcYiqGwa5Hum/JE9 kE6JOT8KQsESRFad20bhP93TqPkhx6fN9g== X-Google-Smtp-Source: ABdhPJys1IlmG/8h6VhsPKrv9Pv07F+R++jXD9jg1wWMXaFCQVk3Leh6dvsBJv//nZmkazvbqEgDcg== X-Received: by 2002:a05:6214:4e2:: with SMTP id cl2mr4049714qvb.27.1610120744160; Fri, 08 Jan 2021 07:45:44 -0800 (PST) Received: from raichu ([142.126.164.150]) by smtp.gmail.com with ESMTPSA id y22sm4842862qkj.129.2021.01.08.07.45.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 Jan 2021 07:45:43 -0800 (PST) Sender: Mark Johnston Date: Fri, 8 Jan 2021 10:45:41 -0500 From: Mark Johnston To: Vasily Postnicov Cc: freebsd-net@freebsd.org Subject: Re: DNS using Name Service Switch module and Casper Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspamd-Queue-Id: 4DC6rT107jz4Xk4 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=sVB8iRh4; dmarc=none; spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates 2607:f8b0:4864:20::f36 as permitted sender) smtp.mailfrom=markjdb@gmail.com X-Spamd-Result: default: False [-0.70 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FREEMAIL_TO(0.00)[gmail.com]; FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::f36:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::f36:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f36:from]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2021 15:45:45 -0000 On Wed, Jan 06, 2021 at 07:08:14PM +0300, Vasily Postnicov wrote: > That's what I found. > > At first, ping calls cap_init() in capdns_setup(). cap_init() forks a > process, then the parent returns and the child calls casper_main_loop(). > The child and the parent both have a socket to communicate. > casper_main_loop() calls zygote_init() and that one blocks on fork(). I do > not know how it could be. How can fork() block? Does you module somehow use pthread_atfork()? > The parent process later calls cap_service_open() and that function calls > cap_xfer_nvlist(). Because the child process is stuck somewhere in > zygote_init() it never sends an nvlist back. So ping blocks. Can you show output from "procstat -kk " when this hang occurs? > All this is figured out by inserting printf()'s. LLDB refuses to run ping > with 'error: Child exec failed'. Presumably it needs to be run as root since ping(8) is a setuid executable. > вт, 5 янв. 2021 г. в 17:43, Mark Johnston : > > > On Tue, Jan 05, 2021 at 10:02:37AM +0300, Vasily Postnicov wrote: > > > Hello. I wrote a simple daemon called ZeroDNS which provides > > functionality > > > similar to multicast DNS, namely it discovers other participating > > machines > > > over the LAN and stores their hostname and IPv4 address pairs. > > > > > > Here is a NSS module which allows the system to use information from that > > > daemon: > > > https://github.com/shamazmazum/nss-zero-dns > > > > > > You need to modify /etc/nsswitch.conf, changing the line 'hosts: files > > dns' > > > to 'hosts: files dns zerodns'. > > > > > > It all works on FreeBSD 12.2-RELEASE, but sometimes not on 13.0-CURRENT. > > > For example, ping(8) just blocks when trying to ping a host whose name is > > > resolvable with ZeroDNS. Turns out that programs built with casper > > support > > > (like ping(8) and some others) stop working with my NSS module (they just > > > block trying to resolve the name). > > > > Presumably it's the casper process (i.e., cap_dns) that uses your > > module? If the main ping process is blocked trying to resolve a name, > > it's waiting for the cap_dns process - where exactly is it getting > > stuck? > > > > > Is there some kind of manual on how to write casper-compatible NSS > > modules? > > From owner-freebsd-net@freebsd.org Fri Jan 8 17:17:39 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6EEF94D0043 for ; Fri, 8 Jan 2021 17:17:39 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DC8tV5J10z4fwC; Fri, 8 Jan 2021 17:17:38 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: by mail-oi1-x229.google.com with SMTP id l200so12067574oig.9; Fri, 08 Jan 2021 09:17:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=U1XULY60lULrhC6AYk5yykBHgawQJqooBllHjETh2pQ=; b=MHBzqhpmqZVIhB7KiVtZAj1K3QPECyybTXWcc28IunvA2TGyotcKmwDPyfHkxy85+R KYbzaeDQff5naJOs51uvCd6zqJU4OSTrV5NpEMGYbh6hp//vFXVeSAP6FYGT+J7RKJX7 KByYZNAqK+miMddEDgMvzhjzsaa43Uwgjic8KHWqqHTsoA8q1wrDBWyORNQbtxtzxgWa mAvSNMQF9K8LoWKXc3f90z0JoHQaopdobIAjit5TzTsM0xgpG0j7n6j4V3WKgja3up+G VIjvO0ZIzDq4HSjJ0oHAn9XHv1LqnovPzpPD78M33KE0HeSTjlAWlPGCufvhbD3XzdL5 rvmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=U1XULY60lULrhC6AYk5yykBHgawQJqooBllHjETh2pQ=; b=CtpDLtR/7XLyICqlM8mfe6yno9mQkaAe6fnfSBEOzR+daqnaCDNM8Ekx9IVqExYSFK gAUpskI8t46XT8KeIUcMUdRoGbRpNKHbPDVgqaqzUuUWAwJ11FjGAyjEmg5PadR7OuiL OLltExU72auhNwcFbq1CjuCSywUGrZvjC26nYStCGpQWhcAsyROOT9f7icqvoTn29o/Y GxDJKqtnH7fjvko5OAc250IXLBUcd6tr7BwvAeX/6knM4/gfy92fr/Jdv7z5N8VB6xBR qYQAN7GWosW/o7m9I9oJ0mYOdVHgMDaH0e/WdQuqvGBiV0rILahk21YyEoVc0/azNMk6 SbVA== X-Gm-Message-State: AOAM530eCWz0yL6yeHvzXN5LbRJvaMujuCtyTk+hESBJ0eB3Jqul0Mp7 1kav7OOFzo48n1api0g5Nqn9Y+VIUaoh01b0AZKZAV0rSx2roQ== X-Google-Smtp-Source: ABdhPJw1FGPMKZt81iBncu3MiIlClEWCQhKOYPx/iTDtKpCICjhykVUI7BfVwarG7GyqpTSkk5lMa6PtzRSzJa+mjMI= X-Received: by 2002:aca:5653:: with SMTP id k80mr3037330oib.0.1610126257266; Fri, 08 Jan 2021 09:17:37 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Vasily Postnicov Date: Fri, 8 Jan 2021 20:17:25 +0300 Message-ID: Subject: Re: DNS using Name Service Switch module and Casper To: Mark Johnston Cc: freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4DC8tV5J10z4fwC X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=MHBzqhpm; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamazmazum@gmail.com designates 2607:f8b0:4864:20::229 as permitted sender) smtp.mailfrom=shamazmazum@gmail.com X-Spamd-Result: default: False [-1.59 / 15.00]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.59)[-0.587]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::229:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::229:from:127.0.2.255]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::229:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2021 17:17:39 -0000 I have noticed that after I kill stuck ping, the process spawned with cap_init() remains. I cannot even kill it with SIGKILL. This is the output of procstat on such a process. vasily 969 0.0 0.1 26428 6532 v0 I 22:43 0:00.00 ping vonbraun.local vasily 983 0.0 0.1 26428 6532 v0 I 22:43 0:00.00 ping resurrected.local vasily 1024 0.0 0.1 26428 6532 v0 I 22:49 0:00.00 ping resurrected.local vasily 1028 0.0 0.1 26428 6532 v0 I 22:49 0:00.00 ping resurrected.local root 1089 0.0 0.0 12976 2512 v1 S+ 22:58 0:00.01 grep ping PID TID COMM TDNAME KSTACK 1028 100579 ping - mi_switch+0x155 sleepq_switch+0x109 sleepq_catch_signals+0x266 sleepq_wait_sig+0x9 _sleep+0x2aa umtxq_sleep+0x19e do_lock_umutex+0x744 __umtx_op_wait_umutex+0x49 sys__umtx_op+0x7a amd64_syscall+0x12e fast_syscall_common+0xf8 I checked ZeroMQ on which my NSS module is based. It does not use pthread_atfork(), but uses lots of other unusual pthread functions, like pthread_setaffinity_np() or pthread_setschedparam(). Do not know if it matters. Also I do not quite understand when the code in my module is executed. It should be executed after the capsicumized sandbox is created, should it not? And I got hang in the process of creating the sandbox. So I do not understand how my code affects this process :) =D0=BF=D1=82, 8 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 18:45, Mark Johnsto= n : > > On Wed, Jan 06, 2021 at 07:08:14PM +0300, Vasily Postnicov wrote: > > That's what I found. > > > > At first, ping calls cap_init() in capdns_setup(). cap_init() forks a > > process, then the parent returns and the child calls casper_main_loop()= . > > The child and the parent both have a socket to communicate. > > casper_main_loop() calls zygote_init() and that one blocks on fork(). I= do > > not know how it could be. How can fork() block? > > Does you module somehow use pthread_atfork()? > > > The parent process later calls cap_service_open() and that function cal= ls > > cap_xfer_nvlist(). Because the child process is stuck somewhere in > > zygote_init() it never sends an nvlist back. So ping blocks. > > Can you show output from "procstat -kk " when this hang occurs? > > > All this is figured out by inserting printf()'s. LLDB refuses to run pi= ng > > with 'error: Child exec failed'. > > Presumably it needs to be run as root since ping(8) is a setuid > executable. > > > =D0=B2=D1=82, 5 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 17:43, Mark Joh= nston : > > > > > On Tue, Jan 05, 2021 at 10:02:37AM +0300, Vasily Postnicov wrote: > > > > Hello. I wrote a simple daemon called ZeroDNS which provides > > > functionality > > > > similar to multicast DNS, namely it discovers other participating > > > machines > > > > over the LAN and stores their hostname and IPv4 address pairs. > > > > > > > > Here is a NSS module which allows the system to use information fro= m that > > > > daemon: > > > > https://github.com/shamazmazum/nss-zero-dns > > > > > > > > You need to modify /etc/nsswitch.conf, changing the line 'hosts: fi= les > > > dns' > > > > to 'hosts: files dns zerodns'. > > > > > > > > It all works on FreeBSD 12.2-RELEASE, but sometimes not on 13.0-CUR= RENT. > > > > For example, ping(8) just blocks when trying to ping a host whose n= ame is > > > > resolvable with ZeroDNS. Turns out that programs built with casper > > > support > > > > (like ping(8) and some others) stop working with my NSS module (the= y just > > > > block trying to resolve the name). > > > > > > Presumably it's the casper process (i.e., cap_dns) that uses your > > > module? If the main ping process is blocked trying to resolve a name= , > > > it's waiting for the cap_dns process - where exactly is it getting > > > stuck? > > > > > > > Is there some kind of manual on how to write casper-compatible NSS > > > modules? > > > From owner-freebsd-net@freebsd.org Fri Jan 8 17:58:36 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1AFA84D150A for ; Fri, 8 Jan 2021 17:58:36 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DC9nl31qVz4kdx; Fri, 8 Jan 2021 17:58:35 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: by mail-oi1-x22f.google.com with SMTP id q205so12195947oig.13; Fri, 08 Jan 2021 09:58:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=twbiF7iw+NszQGx/EsvRdo+QIW475NjEuUohx/QD1iU=; b=TEjkY3IdSK0xrPrJ4q4lvgAiKZgIxxL0h15ju1/vBsDkhicc5ivHJr5/CTz2qPg9Iu ubl9PqtkVqQF1YxxmL9BHkya9XXqVtIyBDUw2DK0yeS1T5qZxV6X2v0Ksx+hOsmNDTru JL/umUEhk6hYKOdNp6n9HCV4e4B7XciXCL0dQBxiLmbc5kyZO6Sz/A3foV4AUqOCnnwe Lv7rhPqsaJx6q8eJihpjNHeL5ZJVVs8cWYcvnaFNXzh5Xp05/sdadjBZjP735XwNQIul JJwHRRF4wtqF6bG5LtRHNzrm/7hBbo+ZJWx7FwfmTCkLXcnLMzQMPLTgiwk1o7y7W4+T KyVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=twbiF7iw+NszQGx/EsvRdo+QIW475NjEuUohx/QD1iU=; b=potXJDHdShQiYT6DfHgq23Urx3d55FUViEkZlkkq7wpJLX8acqINwAXXm6d/P7N85A /ugyHDGiftCZTKeSmzMN8E8EyYICMioDPiRYnw1AhpskC0xxVpOeVTJDV4m167PE0KwZ y4EFq3rc0cfDuihknqVY5AErMQwwCGKT8xVbAhtkrgIYEtAyZTq3+I7VqXTKKWUk02VD PUUFZsNWHwCfGSkCRrVKMwJcINTB6rdLCDcMn1TbCOiIfqpLcZqWHBFWxr8dOqwvJiqZ PTWBcOr/I1xinm2j4cgPPBEo67zZm5PPnbE5p3DlpLLaITeLW6KNryf8sYyNq825cbFw rARA== X-Gm-Message-State: AOAM531q0sPU08Ezs6iwY4BeFu+WBMdHnLjRp8WeH3F/jVhwByo1/j+R DBfozM7qBKYNvvbUo/PVvsW3DPIYBgb5fjiRa6pknlUSRCiWpA== X-Google-Smtp-Source: ABdhPJx1zhmsah1Yg6eBQBC7WzXyLTXfenIZQol2oAjZJpju7tb7xUJe0HF390n6i6v/cWbrCjtDgPQ9ezVMBXjWqpo= X-Received: by 2002:a54:400e:: with SMTP id x14mr3139136oie.21.1610128714449; Fri, 08 Jan 2021 09:58:34 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Vasily Postnicov Date: Fri, 8 Jan 2021 20:58:22 +0300 Message-ID: Subject: Re: DNS using Name Service Switch module and Casper To: Mark Johnston Cc: freebsd-net@freebsd.org X-Rspamd-Queue-Id: 4DC9nl31qVz4kdx X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=TEjkY3Id; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamazmazum@gmail.com designates 2607:f8b0:4864:20::22f as permitted sender) smtp.mailfrom=shamazmazum@gmail.com X-Spamd-Result: default: False [-0.01 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::22f:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.99)[0.995]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::22f:from:127.0.2.255]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::22f:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2021 17:58:36 -0000 Nevermind my last question. ZeroMQ is written on C++. Here is shown how you can execute everything with almost empty main. https://stackoverflow.com/questions/38717534/how-do-i-start-a-c-thread-at-p= rogram-startup For C the only way is to use __attribute__((constructor)) AFAIK =D0=BF=D1=82, 8 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3., 20:17 Vasily Postnicov : > I have noticed that after I kill stuck ping, the process spawned with > cap_init() remains. I cannot even kill it with SIGKILL. This is the > output of procstat on such a process. > > > vasily 969 0.0 0.1 26428 6532 v0 I 22:43 0:00.00 ping > vonbraun.local > vasily 983 0.0 0.1 26428 6532 v0 I 22:43 0:00.00 ping > resurrected.local > vasily 1024 0.0 0.1 26428 6532 v0 I 22:49 0:00.00 ping > resurrected.local > vasily 1028 0.0 0.1 26428 6532 v0 I 22:49 0:00.00 ping > resurrected.local > root 1089 0.0 0.0 12976 2512 v1 S+ 22:58 0:00.01 grep pin= g > PID TID COMM TDNAME KSTACK > 1028 100579 ping - mi_switch+0x155 > sleepq_switch+0x109 sleepq_catch_signals+0x266 sleepq_wait_sig+0x9 > _sleep+0x2aa umtxq_sleep+0x19e do_lock_umutex+0x744 > __umtx_op_wait_umutex+0x49 sys__umtx_op+0x7a amd64_syscall+0x12e > fast_syscall_common+0xf8 > > I checked ZeroMQ on which my NSS module is based. It does not use > pthread_atfork(), but uses lots of other unusual pthread functions, > like pthread_setaffinity_np() or pthread_setschedparam(). Do not know > if it matters. Also I do not quite understand when the code in my > module is executed. It should be executed after the capsicumized > sandbox is created, should it not? And I got hang in the process of > creating the sandbox. So I do not understand how my code affects this > process :) > > > =D0=BF=D1=82, 8 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 18:45, Mark Johns= ton : > > > > On Wed, Jan 06, 2021 at 07:08:14PM +0300, Vasily Postnicov wrote: > > > That's what I found. > > > > > > At first, ping calls cap_init() in capdns_setup(). cap_init() forks a > > > process, then the parent returns and the child calls > casper_main_loop(). > > > The child and the parent both have a socket to communicate. > > > casper_main_loop() calls zygote_init() and that one blocks on fork(). > I do > > > not know how it could be. How can fork() block? > > > > Does you module somehow use pthread_atfork()? > > > > > The parent process later calls cap_service_open() and that function > calls > > > cap_xfer_nvlist(). Because the child process is stuck somewhere in > > > zygote_init() it never sends an nvlist back. So ping blocks. > > > > Can you show output from "procstat -kk " when this hang occurs? > > > > > All this is figured out by inserting printf()'s. LLDB refuses to run > ping > > > with 'error: Child exec failed'. > > > > Presumably it needs to be run as root since ping(8) is a setuid > > executable. > > > > > =D0=B2=D1=82, 5 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 17:43, Mark J= ohnston : > > > > > > > On Tue, Jan 05, 2021 at 10:02:37AM +0300, Vasily Postnicov wrote: > > > > > Hello. I wrote a simple daemon called ZeroDNS which provides > > > > functionality > > > > > similar to multicast DNS, namely it discovers other participating > > > > machines > > > > > over the LAN and stores their hostname and IPv4 address pairs. > > > > > > > > > > Here is a NSS module which allows the system to use information > from that > > > > > daemon: > > > > > https://github.com/shamazmazum/nss-zero-dns > > > > > > > > > > You need to modify /etc/nsswitch.conf, changing the line 'hosts: > files > > > > dns' > > > > > to 'hosts: files dns zerodns'. > > > > > > > > > > It all works on FreeBSD 12.2-RELEASE, but sometimes not on > 13.0-CURRENT. > > > > > For example, ping(8) just blocks when trying to ping a host whose > name is > > > > > resolvable with ZeroDNS. Turns out that programs built with caspe= r > > > > support > > > > > (like ping(8) and some others) stop working with my NSS module > (they just > > > > > block trying to resolve the name). > > > > > > > > Presumably it's the casper process (i.e., cap_dns) that uses your > > > > module? If the main ping process is blocked trying to resolve a > name, > > > > it's waiting for the cap_dns process - where exactly is it getting > > > > stuck? > > > > > > > > > Is there some kind of manual on how to write casper-compatible NS= S > > > > modules? > > > > > From owner-freebsd-net@freebsd.org Fri Jan 8 19:32:23 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C980F4D455D for ; Fri, 8 Jan 2021 19:32:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DCCsz2rM1z4sr4; Fri, 8 Jan 2021 19:32:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.16.1/8.16.1) with ESMTPS id 108JWFel032979 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Fri, 8 Jan 2021 21:32:18 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 108JWFel032979 Received: (from kostik@localhost) by tom.home (8.16.1/8.16.1/Submit) id 108JWFIq032978; Fri, 8 Jan 2021 21:32:15 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Fri, 8 Jan 2021 21:32:15 +0200 From: Konstantin Belousov To: Vasily Postnicov Cc: Mark Johnston , freebsd-net@freebsd.org Subject: Re: DNS using Name Service Switch module and Casper Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on tom.home X-Rspamd-Queue-Id: 4DCCsz2rM1z4sr4 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; TAGGED_RCPT(0.00)[]; REPLY(-4.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2021 19:32:23 -0000 On Fri, Jan 08, 2021 at 08:17:25PM +0300, Vasily Postnicov wrote: > I have noticed that after I kill stuck ping, the process spawned with > cap_init() remains. I cannot even kill it with SIGKILL. This is the > output of procstat on such a process. > > > vasily 969 0.0 0.1 26428 6532 v0 I 22:43 0:00.00 ping > vonbraun.local > vasily 983 0.0 0.1 26428 6532 v0 I 22:43 0:00.00 ping > resurrected.local > vasily 1024 0.0 0.1 26428 6532 v0 I 22:49 0:00.00 ping > resurrected.local > vasily 1028 0.0 0.1 26428 6532 v0 I 22:49 0:00.00 ping > resurrected.local > root 1089 0.0 0.0 12976 2512 v1 S+ 22:58 0:00.01 grep ping > PID TID COMM TDNAME KSTACK > 1028 100579 ping - mi_switch+0x155 > sleepq_switch+0x109 sleepq_catch_signals+0x266 sleepq_wait_sig+0x9 > _sleep+0x2aa umtxq_sleep+0x19e do_lock_umutex+0x744 > __umtx_op_wait_umutex+0x49 sys__umtx_op+0x7a amd64_syscall+0x12e > fast_syscall_common+0xf8 This is strange, I sprinkled enough checks for stops and kills into kern_umtx:do_lock_*(), I believe. Also, if there is kill pending, sleepq_catch_signal() should not remove the thread from runq. I would expect that there is such bug if this thread went into loop with 100% CPU usage, but by your report it sleeps. Could it be that you need to kill ping from root? If killing from root does not help: What is the kernel version? Can you provide minimal standalone binary that reproduces this situation? I do not even need sources, binary alone which does not use any libraries not from base, is enough. From owner-freebsd-net@freebsd.org Sat Jan 9 13:17:02 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E041F4D4436 for ; Sat, 9 Jan 2021 13:17:02 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DCgVQ0LHhz3CqR; Sat, 9 Jan 2021 13:17:01 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: by mail-oi1-x22a.google.com with SMTP id 15so14773516oix.8; Sat, 09 Jan 2021 05:17:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=W1XtUN9OfLZDMyLynu+HnNGYtmO9V17QUFd1TM/BLt0=; b=CLd8kXuB7SXi5+FPD1EzPYH3dzup8ndbuHeeauEoDtOlq+YiOLaTqRNR4QW3w2C0/l XExa6BYCTANLiAvuKtpeLugPmTNUMneb3UQYAm4+Uv7VJT4taORaKycOpZo3q7zVNRpu +ptpQ8AGyQPpfCl/2KWv+Jy8JLgB9gLnQtG7CoHQO+VGmTzio68YWJNyDrC10UdQ+lJ5 wWYNh52/WkIEhLUP55D7We4T7tFWiV/bHsokpR6F8Fl87Ip1dhTjzU7PrQZB9q3sMDs3 jJkYsjGMWo6jHHRnjrLfh4DzYCOo866EhSkma3ItGHt+38Y0tajoeISnKgqOjPUTHd/b Ph0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=W1XtUN9OfLZDMyLynu+HnNGYtmO9V17QUFd1TM/BLt0=; b=HVt1EspwAdPtGvzL+3JN15ebnPoKyyuc4BXotzSVdL6TiLZ7YqcRGFPybeG77VMG75 4Z0p+OJrWghIWQ+FznRaALwrEKLudnMzP1evOpiTIA9vQUOEx7mNqe4v2IeV8m0bdV9g sfZ00aDWVcr302X/8dk92RyG45f6/YzGmLRsP0PrOzK+g0k0C77nKb5QEYOZWwcbVN4b cIzSqJeLFdBFsVd+86m5Hh9k1HZB8GAw0gY1+vusZvdmMPP63i5sHC8racUoEPknuvwA H9kXRzgSAeS5S6/KMnq1L9r32rNrlCKtu6tRHZAW8rPKcnQ1YgWHrGG1GyYWCpoJ9d0M TJYg== X-Gm-Message-State: AOAM5308jGvqb8sgk8FJLfrvuuU1FFuflb51agLLC7rUH+5HO5Av3bYa K80ufzl79wkIEyxkuaJt1fI5utOpTlpBewgQFYVrKAhlptcBlw== X-Google-Smtp-Source: ABdhPJw/f75Bd+BLU8QQrqWrPBBIyL99oTqlHkDOmMwu25LOk9p2vRBcPHyJSDvinSxJfo9W5keS3dxXbykjKdKzM+s= X-Received: by 2002:a54:400e:: with SMTP id x14mr5260851oie.21.1610198220474; Sat, 09 Jan 2021 05:17:00 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Vasily Postnicov Date: Sat, 9 Jan 2021 16:16:49 +0300 Message-ID: Subject: Re: DNS using Name Service Switch module and Casper To: Mark Johnston Cc: freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4DCgVQ0LHhz3CqR X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=CLd8kXuB; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamazmazum@gmail.com designates 2607:f8b0:4864:20::22a as permitted sender) smtp.mailfrom=shamazmazum@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::22a:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM_SHORT(1.00)[0.999]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::22a:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::22a:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2021 13:17:02 -0000 Turns out, if you do not specify either -4 or -6 to ping, unsandboxed getaddrinfo() will be called in /usr/src/sbin/ping/main.c, line 139. (what's the point in sandboxing then, lol?) This somehow affects sandboxing. Look at the screenshot, it explains where fork() gets stuck. https://photos.app.goo.gl/T1B3Fo1hg6z7r3vZ6 Oh yes, my module works if you specify -4 to ping command. =D0=BF=D1=82, 8 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 20:58, Vasily Postn= icov : > > Nevermind my last question. ZeroMQ is written on C++. Here is shown how y= ou can execute everything with almost empty main. > > https://stackoverflow.com/questions/38717534/how-do-i-start-a-c-thread-at= -program-startup > > For C the only way is to use __attribute__((constructor)) AFAIK > > =D0=BF=D1=82, 8 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3., 20:17 Vasily Postnicov = : >> >> I have noticed that after I kill stuck ping, the process spawned with >> cap_init() remains. I cannot even kill it with SIGKILL. This is the >> output of procstat on such a process. >> >> >> vasily 969 0.0 0.1 26428 6532 v0 I 22:43 0:00.00 ping >> vonbraun.local >> vasily 983 0.0 0.1 26428 6532 v0 I 22:43 0:00.00 ping >> resurrected.local >> vasily 1024 0.0 0.1 26428 6532 v0 I 22:49 0:00.00 ping >> resurrected.local >> vasily 1028 0.0 0.1 26428 6532 v0 I 22:49 0:00.00 ping >> resurrected.local >> root 1089 0.0 0.0 12976 2512 v1 S+ 22:58 0:00.01 grep pi= ng >> PID TID COMM TDNAME KSTACK >> 1028 100579 ping - mi_switch+0x155 >> sleepq_switch+0x109 sleepq_catch_signals+0x266 sleepq_wait_sig+0x9 >> _sleep+0x2aa umtxq_sleep+0x19e do_lock_umutex+0x744 >> __umtx_op_wait_umutex+0x49 sys__umtx_op+0x7a amd64_syscall+0x12e >> fast_syscall_common+0xf8 >> >> I checked ZeroMQ on which my NSS module is based. It does not use >> pthread_atfork(), but uses lots of other unusual pthread functions, >> like pthread_setaffinity_np() or pthread_setschedparam(). Do not know >> if it matters. Also I do not quite understand when the code in my >> module is executed. It should be executed after the capsicumized >> sandbox is created, should it not? And I got hang in the process of >> creating the sandbox. So I do not understand how my code affects this >> process :) >> >> >> =D0=BF=D1=82, 8 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 18:45, Mark John= ston : >> > >> > On Wed, Jan 06, 2021 at 07:08:14PM +0300, Vasily Postnicov wrote: >> > > That's what I found. >> > > >> > > At first, ping calls cap_init() in capdns_setup(). cap_init() forks = a >> > > process, then the parent returns and the child calls casper_main_loo= p(). >> > > The child and the parent both have a socket to communicate. >> > > casper_main_loop() calls zygote_init() and that one blocks on fork()= . I do >> > > not know how it could be. How can fork() block? >> > >> > Does you module somehow use pthread_atfork()? >> > >> > > The parent process later calls cap_service_open() and that function = calls >> > > cap_xfer_nvlist(). Because the child process is stuck somewhere in >> > > zygote_init() it never sends an nvlist back. So ping blocks. >> > >> > Can you show output from "procstat -kk " when this hang occurs? >> > >> > > All this is figured out by inserting printf()'s. LLDB refuses to run= ping >> > > with 'error: Child exec failed'. >> > >> > Presumably it needs to be run as root since ping(8) is a setuid >> > executable. >> > >> > > =D0=B2=D1=82, 5 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 17:43, Mark = Johnston : >> > > >> > > > On Tue, Jan 05, 2021 at 10:02:37AM +0300, Vasily Postnicov wrote: >> > > > > Hello. I wrote a simple daemon called ZeroDNS which provides >> > > > functionality >> > > > > similar to multicast DNS, namely it discovers other participatin= g >> > > > machines >> > > > > over the LAN and stores their hostname and IPv4 address pairs. >> > > > > >> > > > > Here is a NSS module which allows the system to use information = from that >> > > > > daemon: >> > > > > https://github.com/shamazmazum/nss-zero-dns >> > > > > >> > > > > You need to modify /etc/nsswitch.conf, changing the line 'hosts:= files >> > > > dns' >> > > > > to 'hosts: files dns zerodns'. >> > > > > >> > > > > It all works on FreeBSD 12.2-RELEASE, but sometimes not on 13.0-= CURRENT. >> > > > > For example, ping(8) just blocks when trying to ping a host whos= e name is >> > > > > resolvable with ZeroDNS. Turns out that programs built with casp= er >> > > > support >> > > > > (like ping(8) and some others) stop working with my NSS module (= they just >> > > > > block trying to resolve the name). >> > > > >> > > > Presumably it's the casper process (i.e., cap_dns) that uses your >> > > > module? If the main ping process is blocked trying to resolve a n= ame, >> > > > it's waiting for the cap_dns process - where exactly is it getting >> > > > stuck? >> > > > >> > > > > Is there some kind of manual on how to write casper-compatible N= SS >> > > > modules? >> > > > From owner-freebsd-net@freebsd.org Sat Jan 9 16:46:02 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 83F154DBC3C for ; Sat, 9 Jan 2021 16:46:02 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DCm7Z36Cdz3hJh for ; Sat, 9 Jan 2021 16:46:02 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by mail-il1-x134.google.com with SMTP id r17so13612981ilo.11 for ; Sat, 09 Jan 2021 08:46:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=Z6vQP+M/rXS8ghAFVCueUi7OKp9uPnus6lkr/wVxE5k=; b=FdFe+1m8aE/UfShdrWr+VD2ZiVO7J3AAZnxusJguB87rC4nmgpzgBgXrkQPfjwMAwV uN2k1KcDhuzHcsLpYJlWleE6D1qHLlxfc6lWztdbz+6iHg6RYTz8vsHvhE2dF/CEJQ3j iWZGzA48Sq5HLiCW0Kursuq1ZamgMexrQrJK+1ALALo1JlIaY128T7o0OhawTzwjWtVI lkZxmAVvhj1Y0obyNXTKEuzfEnCs33OlfnJHf6slosb8CZ6zmskjVNN3gX/MyBkY/4Ra EwMHz0lwgx+ufpFrHl4VfZxhq0Di5I7Ha1kmQBR1Ys0H+Kp4/nnzwyJBFj1zhMyONGss aa4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=Z6vQP+M/rXS8ghAFVCueUi7OKp9uPnus6lkr/wVxE5k=; b=HPhSXu2AITfp4r8FebCseuJCSdnUcY/3nv3Mk01yCjBXHaF69X5C/+3Osw9b5bfC1n QqJvhKoZs4PVP+6uvSignJnhwgeabdZqZ9YIs8dRsbg5L2gjIwmufGnrxisde6CI4RKG VtyXOOArIqijLxAo+TE1vfI78s+q+b2+0LiLpQUU/p28OLX/HhtpAOckxxtPv0cItsOW MAxSNjbfRxdS3Cwr8BXCrz4VTu/+TW7Aqajo5kanapiPtCTd5VWbbnAXXrzCP0LGvJL/ Yjv7Ued/1s8spzRQ1q/IPLPJCiYBM6c1hCt2sLvBIdZSzWCCDPNLAJyRFUUjJoWpNpY3 5d8g== X-Gm-Message-State: AOAM532jzdxIbogIBypL/oW6BR5c5nbfsnVc2oeF9oAG3XrQItRe1V+b IftNcHOhhT9+y8h5GX6kpL8= X-Google-Smtp-Source: ABdhPJxMmQA9Evs2BqVgn+qBX2BQNWC8s4Y5g3n1/e7Rul9otUhcG/drhNpxTxJWKDP5aSKVFSfjhA== X-Received: by 2002:a05:6e02:1525:: with SMTP id i5mr9332234ilu.14.1610210761242; Sat, 09 Jan 2021 08:46:01 -0800 (PST) Received: from raichu ([142.126.164.150]) by smtp.gmail.com with ESMTPSA id k15sm3118940ilp.10.2021.01.09.08.45.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 09 Jan 2021 08:46:00 -0800 (PST) Sender: Mark Johnston Date: Sat, 9 Jan 2021 11:45:58 -0500 From: Mark Johnston To: Vasily Postnicov Cc: freebsd-net@freebsd.org Subject: Re: DNS using Name Service Switch module and Casper Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4DCm7Z36Cdz3hJh X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; TAGGED_RCPT(0.00)[]; REPLY(-4.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2021 16:46:02 -0000 On Sat, Jan 09, 2021 at 04:16:49PM +0300, Vasily Postnicov wrote: > Turns out, if you do not specify either -4 or -6 to ping, unsandboxed > getaddrinfo() will be called in /usr/src/sbin/ping/main.c, line 139. > (what's the point in sandboxing then, lol?) This somehow affects > sandboxing. Indeed, that seems to be an issue with the recent merge of ping and ping6. I guess the initial call to getaddrinfo() causes nsswitch.conf to be parsed and your module is loaded before we fork(). The module is linked with libthr but obviously ping itself is not. I'm sure this kind of configuration worked at some point, there might have been a regression. If you can provide a stub NSS module that links libthr and demonstrates the issue, it would be useful. > Look at the screenshot, it explains where fork() gets stuck. > https://photos.app.goo.gl/T1B3Fo1hg6z7r3vZ6 And there are no other threads in the process? From owner-freebsd-net@freebsd.org Sat Jan 9 17:25:59 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2E3294DD247 for ; Sat, 9 Jan 2021 17:25:59 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DCn1f0yNWz3lJy; Sat, 9 Jan 2021 17:25:57 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: by mail-ot1-x332.google.com with SMTP id q25so12934726otn.10; Sat, 09 Jan 2021 09:25:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1UXmTGEDr9xUDkQr5cm77vMWx72sVEP/+8W+CZEe70Q=; b=PEcDgdm44vuCrfjOoxwD9DNu38ek3ifAqB2Wzd8LHIC2b/9qozz35fwiK4C4UF2QJm at+RO30V4ScZOYofZtnguRqiS/6a8IhLUGQ3b/DDAkCTfdABaTvCH1RzBazI3fFf5orw 2ogd5Qz1jmQRCjLi4bjQ2k2Gt+doszgPyB4wrOittPzJyjCoFfaSr5XlvjTORECzSViX LPMxObKmEmsejMNq3W9UHLUMGqV1p6bg1HB0+QZGGIvUqV4phy5H3EQDy/p9C/M5pfPJ cVYt2xHak67SILDAun5bRBQzkK8UzZnxHhEgJOn1N5uj9ltDnnuJBqqt13utylUK6z/j Sk3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1UXmTGEDr9xUDkQr5cm77vMWx72sVEP/+8W+CZEe70Q=; b=DIMSU8PBiWFpDfJtTFkKy2amcFgr2n/gBERBwBbAGZfOszX+RF6QFphM+KJQr0hEhD KlTW7A3ncZFqGGtywjBirVm/8xrItIS0YSSi7feVTyKmCWPk5/pZ8tDYbSc71PdqE9Zg y3zOmBZJt5PI+5/TWDiP/uLnxUGrmgpUYqDRl12NRTkhykGxlc+TjPEm/Af2DrT5c0dG GD8wAp6zXp5YmBzaZ8PxEeF7ryORFNmuTgoKhbtvMXqAiSu93CmNuJPLPuGkmUOfsHMM B/CGkHMA5a2CSylqhFxenYbUdrbKdYtvD4bmv9JreSw3BaxRchxa1Na4BIMExnWE72K+ hUCA== X-Gm-Message-State: AOAM530yZymKQwTEOxso10EjAl93YrKKvCedwT95e2JbIXg16pIKEh3B bFi8YTLoQBgjG1y7m3tr8i0jzb5iBFORO2tjVXcZS+ux2Jtuiw== X-Google-Smtp-Source: ABdhPJwpdjAnoW4KLKAdD15Ub5cCp6uKtOh8ytfrqqsAj2zNuXx2XHmItnBiBYPHD7EO+n0fWxVtcKplp8c+ff8Izo8= X-Received: by 2002:a9d:37c4:: with SMTP id x62mr6499234otb.87.1610213157135; Sat, 09 Jan 2021 09:25:57 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Vasily Postnicov Date: Sat, 9 Jan 2021 20:25:46 +0300 Message-ID: Subject: Re: DNS using Name Service Switch module and Casper To: Mark Johnston Cc: freebsd-net@freebsd.org X-Rspamd-Queue-Id: 4DCn1f0yNWz3lJy X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=PEcDgdm4; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamazmazum@gmail.com designates 2607:f8b0:4864:20::332 as permitted sender) smtp.mailfrom=shamazmazum@gmail.com X-Spamd-Result: default: False [0.70 / 15.00]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; HAS_ATTACHMENT(0.00)[]; MIME_BASE64_TEXT_BOGUS(1.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MIME_BASE64_TEXT(0.10)[]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::332:from]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/mixed,text/plain,text/x-csrc]; MIME_BAD_ATTACHMENT(1.60)[c]; NEURAL_SPAM_SHORT(1.00)[1.000]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::332:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::332:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2021 17:25:59 -0000 Brilliant! It took me almost a day to dive into ZeroMQ to reassure myself that there is nothing wrong with it. When I tried to write minimal test programs which call fork after pthread_create() in all combinations. When I realized that NSS stub module is what I need. Instructions: 1) Compile NSS stub module: cc -shared -fPIC -pthread -o nss_zerodns.so.1 test.c (Note '.1' at the end). 2) Copy nss_zerodns.so.1 to /usr/local/lib 3) Apply the patch src_sbin_ping_main.c to ping source code. With this patch ping will not quit too early when the initial call to getaddrinfo() fails. 4) Add stub module to /etc/nsswitch.conf: edit 'hosts' line to be 'hosts: files dns zerodns' 5) Ping non-existent host, like 'ping foo.bar' 6) Ping will hang. The child process which it creates cannot be killed even with killall -9 ping =D1=81=D0=B1, 9 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 19:46, Mark Johnsto= n : > > On Sat, Jan 09, 2021 at 04:16:49PM +0300, Vasily Postnicov wrote: > > Turns out, if you do not specify either -4 or -6 to ping, unsandboxed > > getaddrinfo() will be called in /usr/src/sbin/ping/main.c, line 139. > > (what's the point in sandboxing then, lol?) This somehow affects > > sandboxing. > > Indeed, that seems to be an issue with the recent merge of ping and > ping6. > > I guess the initial call to getaddrinfo() causes nsswitch.conf to be > parsed and your module is loaded before we fork(). The module is linked > with libthr but obviously ping itself is not. I'm sure this kind of > configuration worked at some point, there might have been a regression. > > If you can provide a stub NSS module that links libthr and demonstrates > the issue, it would be useful. > > > Look at the screenshot, it explains where fork() gets stuck. > > https://photos.app.goo.gl/T1B3Fo1hg6z7r3vZ6 > > And there are no other threads in the process? From owner-freebsd-net@freebsd.org Sat Jan 9 17:28:09 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F32914DD5A8 for ; Sat, 9 Jan 2021 17:28:09 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DCn491lRBz3lqH; Sat, 9 Jan 2021 17:28:08 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: by mail-ot1-x334.google.com with SMTP id d20so12975764otl.3; Sat, 09 Jan 2021 09:28:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=BRFoOu2BSjlSL8pF15OYKi8s+nQHdgo7G8c4xnr+MvU=; b=NmxXJt23j0L72Ly1yj9YmfnweIsYI1TfUBRw0XmjFkpuuX2qk9o2J9L5B0NZCzMjGd E0fL8msyMydhW+ntPOaPE4ON1uRka73K+HW7PV3xhXXG7m+ualf7dAKMH1IYwLqRG4wr RTOf+D/VltKjBa9VZAqQBEG5Cuaww5OxWBtrjbr94EN8siEl1Rveg9NUHA/k++V5ojVa tlRrFlqpz8ZPNXpcsSu6cmEOMshD7nZb2JoRsLtarAVqaWT1EwRJE81VaJxxSFaUj6u8 ssFhPqydHq5zJ77coIZeh5sKAjSeccvQ3Xmt42dqYaBUlftTjTRGV0AhgALlAQWeHILG rC/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=BRFoOu2BSjlSL8pF15OYKi8s+nQHdgo7G8c4xnr+MvU=; b=uiloYvhKbHsk9L0pX7ZYD+FAKsh84lZlDgtLuH/sg2uojQHwPTPApd7M4hoZ28MIxM yIVill0fjOP8M9ojFxuVFp8uf29B9nVyqODy20R9N4q2vwK1hOMZPCHmBRvSvxwkCK2Z 4RVd8YFXN4vkKY9vUHRcRQH8sDrIkmsAwBMZEBqda75Z5/yvM/rARGsBQPEn5LDZRGKR nZ5Jq0YkECdJYkUbRj9h1P3BXPuEZ2JCHBhOVHJxI7FXLEu/HVZ/v4zWvnGSatAE4ToL niLZTymMHvqFkVnpecfcpIkzeDaMuRJNQIIjgwHSdep62r1K7wNKmEd6y431OD82LdKj WKag== X-Gm-Message-State: AOAM531IQ6iXOAuLEwV0JKb6IcJHPN0fFiX9KCjPF9/Usjg3GtX2XRy5 9XJCsENZug4OmKyPM404z0jf6BwHFJM4HzwSP/hQGht10CJUxQ== X-Google-Smtp-Source: ABdhPJw4qEJh+Zxckr7jcanK1ywr1Ve0Ax29odRCwTK3ZoxrM1WDTctaTt+ZYAYS2OICExmZbGCZw6faXJ2wl/l0wXs= X-Received: by 2002:a05:6830:1e0c:: with SMTP id s12mr6234657otr.152.1610213288087; Sat, 09 Jan 2021 09:28:08 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Vasily Postnicov Date: Sat, 9 Jan 2021 20:27:57 +0300 Message-ID: Subject: Re: DNS using Name Service Switch module and Casper To: Mark Johnston Cc: freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4DCn491lRBz3lqH X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=NmxXJt23; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamazmazum@gmail.com designates 2607:f8b0:4864:20::334 as permitted sender) smtp.mailfrom=shamazmazum@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::334:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM_SHORT(1.00)[1.000]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::334:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::334:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2021 17:28:10 -0000 Oh, I almost forgot. I am on f2b794e now =D1=81=D0=B1, 9 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 20:25, Vasily Postn= icov : > > Brilliant! It took me almost a day to dive into ZeroMQ to reassure > myself that there is nothing wrong with it. When I tried to write > minimal test programs which call fork after pthread_create() in all > combinations. When I realized that NSS stub module is what I need. > > Instructions: > > 1) Compile NSS stub module: cc -shared -fPIC -pthread -o > nss_zerodns.so.1 test.c (Note '.1' at the end). > 2) Copy nss_zerodns.so.1 to /usr/local/lib > 3) Apply the patch src_sbin_ping_main.c to ping source code. With this > patch ping will not quit too early when the initial call to > getaddrinfo() fails. > 4) Add stub module to /etc/nsswitch.conf: edit 'hosts' line to be > 'hosts: files dns zerodns' > 5) Ping non-existent host, like 'ping foo.bar' > 6) Ping will hang. The child process which it creates cannot be killed > even with killall -9 ping > > =D1=81=D0=B1, 9 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 19:46, Mark Johns= ton : > > > > On Sat, Jan 09, 2021 at 04:16:49PM +0300, Vasily Postnicov wrote: > > > Turns out, if you do not specify either -4 or -6 to ping, unsandboxed > > > getaddrinfo() will be called in /usr/src/sbin/ping/main.c, line 139. > > > (what's the point in sandboxing then, lol?) This somehow affects > > > sandboxing. > > > > Indeed, that seems to be an issue with the recent merge of ping and > > ping6. > > > > I guess the initial call to getaddrinfo() causes nsswitch.conf to be > > parsed and your module is loaded before we fork(). The module is linke= d > > with libthr but obviously ping itself is not. I'm sure this kind of > > configuration worked at some point, there might have been a regression. > > > > If you can provide a stub NSS module that links libthr and demonstrates > > the issue, it would be useful. > > > > > Look at the screenshot, it explains where fork() gets stuck. > > > https://photos.app.goo.gl/T1B3Fo1hg6z7r3vZ6 > > > > And there are no other threads in the process? From owner-freebsd-net@freebsd.org Sat Jan 9 18:47:53 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DC44E4DF6B8 for ; Sat, 9 Jan 2021 18:47:53 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DCpr942Bvz3s2c; Sat, 9 Jan 2021 18:47:53 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.16.1/8.16.1) with ESMTPS id 109IlcqA071528 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Sat, 9 Jan 2021 20:47:41 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 109IlcqA071528 Received: (from kostik@localhost) by tom.home (8.16.1/8.16.1/Submit) id 109Ilcpf071527; Sat, 9 Jan 2021 20:47:38 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 9 Jan 2021 20:47:38 +0200 From: Konstantin Belousov To: Vasily Postnicov Cc: Mark Johnston , freebsd-net@freebsd.org Subject: Re: DNS using Name Service Switch module and Casper Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on tom.home X-Rspamd-Queue-Id: 4DCpr942Bvz3s2c X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; TAGGED_RCPT(0.00)[]; REPLY(-4.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2021 18:47:53 -0000 On Sat, Jan 09, 2021 at 08:25:46PM +0300, Vasily Postnicov wrote: > Brilliant! It took me almost a day to dive into ZeroMQ to reassure > myself that there is nothing wrong with it. When I tried to write > minimal test programs which call fork after pthread_create() in all > combinations. When I realized that NSS stub module is what I need. > > Instructions: > > 1) Compile NSS stub module: cc -shared -fPIC -pthread -o > nss_zerodns.so.1 test.c (Note '.1' at the end). > 2) Copy nss_zerodns.so.1 to /usr/local/lib > 3) Apply the patch src_sbin_ping_main.c to ping source code. With this > patch ping will not quit too early when the initial call to > getaddrinfo() fails. > 4) Add stub module to /etc/nsswitch.conf: edit 'hosts' line to be > 'hosts: files dns zerodns' > 5) Ping non-existent host, like 'ping foo.bar' > 6) Ping will hang. The child process which it creates cannot be killed > even with killall -9 ping This is exactly what I do not want. Provide a standalone binary (or binaries) that can be just run and demonstrate the issue. Without editing nsswitch.conf or patching ping.