Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 26 Jul 2012 19:45:00 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        FreeBSD Stable List <freebsd-stable@freebsd.org>
Cc:        bz@freebsd.org
Subject:   Regression with jails/IPv6/pf
Message-ID:  <5011902C.1070600@infracaninophile.co.uk>

next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig1E02B4FF191F794D27E05797
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable


So, I tried to do a routine update to the latest stable/9 yesterday
(r238771), and I found that access to the jail on my server had stopped
working.  Everything else seemed to be fine, and reverting to the
previous system (r237456 from 2012-06-22 (Boot Environments FTW)) bought
it all back to life.

After spending most of today bisecting versions and compiling kernels,
I found:

    r238177 worked absolutely fine

    r238236 accessing the jail worked, but everything was slow, as if
            DNS queries were timing out.

    r238246 lots of network timeouts everywhere: accessing the jail
            failed, but then so did accessing the main host.  So much
            so that svn couldn't update properly.

    r238256 worked fine for accessing the main host, but failed when
            trying to access the jail.

Looks like this seems to have been introduced in a batch of commits
MFC'd by bz@ (CC'd) around then.

Now, this jail is set up in an unusual way, which is why I guess I'm the
first person to be affected.  For starters, it only has IPv6
connectivity, and secondly, because I'm running some daemons there I
don't want listening on an external network socket, it's bound to the
loopback and I use firewall redirection to send traffic to it.

The jail config in /etc/rc.conf looks like this:

jail_interface=3D"lo1"
jail_devfs_enable=3D"YES"
jail_devfs_ruleset=3D"devfsrules_jail_zfs"
jail_fdescfs_enable=3D"YES"
jail_procfs_enable=3D"YES"
jail_set_hostname_allow=3D"NO"
jail_socket_unixiproute_only=3D"YES"
jail_sysvipc_allow=3D"NO"
jail_parallel_start=3D"NO"

jail_xenophobe_hostname=3D"xenophobe.infracaninophile.co.uk"
jail_xenophobe_rootdir=3D"/jail/xenophobe"
jail_xenophobe_ip=3D"fd87:cd50:2103:1:54f9:9484:e8b0:12d1"
jail_xenophobe_mount_enable=3D"YES"
jail_xenophobe_zfs=3D"zroot/jail/xenophobe zroot/jail/xenophobe/TimeMachi=
ne"
jail_xenophobe_params=3D"enforce_statfs=3D1"

I've cloned a second loopback I/F and given the jail an address from the
IPv6 private address range (RFC4193).  Cloning the interface
isn't absolutely necessary -- exactly the same symptoms occur if I use
an alias address on lo0 -- but it makes it easier to see only jail
traffic when using tcpdump.

Then I've enabled access via the network using nat+rdr in PF, like so:

table <localnets> const { 2001:8b0:151:1::/64, \
                          81.187.76.160/29,    \
                          fd87:cd50:2103:1::/64 }

xenophobe_int=3D"fd87:cd50:2103:1:54f9:9484:e8b0:12d1"
xenophobe_ext=3D"2001:8b0:151:1:54f9:9484:e8b0:12d1"

[...]

nat on $ext_if_plus from $xenophobe_int to any -> $xenophobe_ext
rdr inet6 proto tcp from <localnets> to $xenophobe_ext \
     port { 22, 80, 443, 548, 4700 } -> $xenophobe_int

When trying to ssh into the jail with a kernel exhibiting this problem,
tcpdump showed that traffic was reaching the sshd in the jail and
responses were being generated, but they didn't make it out onto the net.=


	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig1E02B4FF191F794D27E05797
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlARkDQACgkQ8Mjk52CukIwuOgCbButGyCX4fMy5GtKyXM0+CVId
2NYAnA/fzZ+sodbnGZ7K8v3AldT36cpE
=s2s8
-----END PGP SIGNATURE-----

--------------enig1E02B4FF191F794D27E05797--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5011902C.1070600>