From owner-freebsd-net@FreeBSD.ORG Tue Sep 30 14:58:54 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 10FD6985 for ; Tue, 30 Sep 2014 14:58:54 +0000 (UTC) Received: from raven.bwct.de (raven.bwct.de [85.159.14.73]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "raven.bwct.de", Issuer "BWCT" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B1E48879 for ; Tue, 30 Sep 2014 14:58:52 +0000 (UTC) Received: from mail.cicely.de ([10.1.1.37]) by raven.bwct.de (8.13.4/8.13.4) with ESMTP id s8UEwP9c023017 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Tue, 30 Sep 2014 16:58:25 +0200 (CEST) (envelope-from ticso@cicely7.cicely.de) Received: from cicely7.cicely.de (cicely7.cicely.de [10.1.1.9]) by mail.cicely.de (8.14.5/8.14.4) with ESMTP id s8UEwJ1d052398 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Sep 2014 16:58:20 +0200 (CEST) (envelope-from ticso@cicely7.cicely.de) Received: from cicely7.cicely.de (localhost [127.0.0.1]) by cicely7.cicely.de (8.14.2/8.14.2) with ESMTP id s8UEwJua065862; Tue, 30 Sep 2014 16:58:19 +0200 (CEST) (envelope-from ticso@cicely7.cicely.de) Received: (from ticso@localhost) by cicely7.cicely.de (8.14.2/8.14.2/Submit) id s8UEwJK3065861; Tue, 30 Sep 2014 16:58:19 +0200 (CEST) (envelope-from ticso) Date: Tue, 30 Sep 2014 16:58:19 +0200 From: Bernd Walter To: freebsd-net@freebsd.org Subject: wrong source address with neighbor solicitation from jail Message-ID: <20140930145819.GB62759@cicely7.cicely.de> Reply-To: ticso@cicely.de Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: FreeBSD cicely7.cicely.de 7.0-STABLE i386 User-Agent: Mutt/1.5.11 X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED=-1, BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01 autolearn=ham version=3.3.0 X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on spamd.cicely.de Cc: ticso@cicely.de X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 14:58:54 -0000 At first I'd thought it is the plain old broken multicast ethernet support story, since I noticed it with an IPv6 only ARM system. But multicast on all the system works fine, it is the neighbor solitictaion request at fault selecting the wrong My setup. One client system, which failed to communication with a jail with an IP configured as /128 on lo0. The jail host itself with a LAN IP on em0 and the jail IP. My gateway, used as defeault GW on the client and server and knows a route for the /128 to the jail host. It is in the route path from the client to the jail IP. (unrelated question: isn't there some kind of redirect supprt as with IPv4?) All systems are on the same LAN. When I e.g. telnet from the jail host to the client I see the following: 16:41:23.970458 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2a02:21e0:16e0:2000::105 > ff02::1:ff00:1001: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:21e0:16e0:2000::1001 source link-address option (1), length 8 (1): 00:1e:8c:f2:41:2d 0x0000: 001e 8cf2 412d 16:41:23.970792 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2a02:21e0:16e0:2000::1001 > 2a02:21e0:16e0:2000::105: [icmp6 sum ok ] ICMP6, neighbor advertisement, length 32, tgt is 2a02:21e0:16e0:2000::1001, Flags [solicited, override] destination link-address option (2), length 8 (1): 00:1f:7b:b4:0c:41 0x0000: 001f 7bb4 0c41 16:41:23.970800 IP6 (flowlabel 0xe9bb0, hlim 64, next-header TCP (6) payload length: 40) 2a02:21e0:16e0:2000::105.50941 > 2a02:21e0:16e0:2000: :1001.23: Flags [S], cksum 0xcaee (correct), seq 690679932, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 291271812 ecr 0], length 0 16:41:23.971066 IP6 (hlim 64, next-header TCP (6) payload length: 20) 2a02:21e0:16e0:2000::1001.23 > 2a02:21e0:16e0:2000::105.50941: Flags [R. ], cksum 0xb889 (correct), seq 0, ack 690679933, win 0, length 0 The jail host issues a neighbor solicitaion request from his LAN IP to the multicast IP for the required target IP. It gets an answer and tries to connect. Everything is perfectly OK. Now if I do the same from the jail (after deleting the ndp entry): 16:43:30.686371 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2a02:21e0:16e0:20fe::101:6 > ff02::1:ff00:1001: [icmp6 sum ok] ICMP 6, neighbor solicitation, length 32, who has 2a02:21e0:16e0:2000::1001 source link-address option (1), length 8 (1): 00:1e:8c:f2:41:2d 0x0000: 001e 8cf2 412d And this is where my problems starts. It is issuing basicly the same NS packet, but this time with it's jail address. Now the other system won't answer to the request. Maybe because it is not on the same LAN as the requesting address. The jail host, which selects the wrong source address is running 9.1-STABLE r246590. So maybe this is fixed already? But since I've never heared about such a problem I guess it still exists. -- B.Walter http://www.bwct.de Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm.