From owner-freebsd-stable@FreeBSD.ORG Thu Jul 26 18:45:17 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79E55106564A; Thu, 26 Jul 2012 18:45:17 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id CC82D8FC17; Thu, 26 Jul 2012 18:45:16 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q6QIj8qY069541 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 26 Jul 2012 19:45:08 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q6QIj8qY069541 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1343328308; bh=3LjYoRIjMHR955x8dZ7FIeWKm+tZg2Oicq1uiwfG6aY=; h=Date:From:To:CC:Subject:Content-Type:In-Reply-To:Message-ID: Mime-Version:References; b=RPM5peQqG4e2yfzmLxCMmBWpr/YN8ofPX9bP+MP8hhhSDpXNK8zyVdpc7bfXAf6uL FVORrRHxbtO5FpRcq0wT9UoQYqyA2Fp+o0V7xPsy0bGsxR+kb42vQXKX8VQQJ1DTLC px4fczWI7/FD/m4fNk7cycYbH+mcYLUqbKUCpIDs= Message-ID: <5011902C.1070600@infracaninophile.co.uk> Date: Thu, 26 Jul 2012 19:45:00 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: FreeBSD Stable List X-Enigmail-Version: 1.4.3 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1E02B4FF191F794D27E05797" X-Virus-Scanned: clamav-milter 0.97.5 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_ADSP_ALL,DKIM_SIGNED,T_DKIM_INVALID autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: bz@freebsd.org Subject: Regression with jails/IPv6/pf X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2012 18:45:17 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1E02B4FF191F794D27E05797 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable So, I tried to do a routine update to the latest stable/9 yesterday (r238771), and I found that access to the jail on my server had stopped working. Everything else seemed to be fine, and reverting to the previous system (r237456 from 2012-06-22 (Boot Environments FTW)) bought it all back to life. After spending most of today bisecting versions and compiling kernels, I found: r238177 worked absolutely fine r238236 accessing the jail worked, but everything was slow, as if DNS queries were timing out. r238246 lots of network timeouts everywhere: accessing the jail failed, but then so did accessing the main host. So much so that svn couldn't update properly. r238256 worked fine for accessing the main host, but failed when trying to access the jail. Looks like this seems to have been introduced in a batch of commits MFC'd by bz@ (CC'd) around then. Now, this jail is set up in an unusual way, which is why I guess I'm the first person to be affected. For starters, it only has IPv6 connectivity, and secondly, because I'm running some daemons there I don't want listening on an external network socket, it's bound to the loopback and I use firewall redirection to send traffic to it. The jail config in /etc/rc.conf looks like this: jail_interface=3D"lo1" jail_devfs_enable=3D"YES" jail_devfs_ruleset=3D"devfsrules_jail_zfs" jail_fdescfs_enable=3D"YES" jail_procfs_enable=3D"YES" jail_set_hostname_allow=3D"NO" jail_socket_unixiproute_only=3D"YES" jail_sysvipc_allow=3D"NO" jail_parallel_start=3D"NO" jail_xenophobe_hostname=3D"xenophobe.infracaninophile.co.uk" jail_xenophobe_rootdir=3D"/jail/xenophobe" jail_xenophobe_ip=3D"fd87:cd50:2103:1:54f9:9484:e8b0:12d1" jail_xenophobe_mount_enable=3D"YES" jail_xenophobe_zfs=3D"zroot/jail/xenophobe zroot/jail/xenophobe/TimeMachi= ne" jail_xenophobe_params=3D"enforce_statfs=3D1" I've cloned a second loopback I/F and given the jail an address from the IPv6 private address range (RFC4193). Cloning the interface isn't absolutely necessary -- exactly the same symptoms occur if I use an alias address on lo0 -- but it makes it easier to see only jail traffic when using tcpdump. Then I've enabled access via the network using nat+rdr in PF, like so: table const { 2001:8b0:151:1::/64, \ 81.187.76.160/29, \ fd87:cd50:2103:1::/64 } xenophobe_int=3D"fd87:cd50:2103:1:54f9:9484:e8b0:12d1" xenophobe_ext=3D"2001:8b0:151:1:54f9:9484:e8b0:12d1" [...] nat on $ext_if_plus from $xenophobe_int to any -> $xenophobe_ext rdr inet6 proto tcp from to $xenophobe_ext \ port { 22, 80, 443, 548, 4700 } -> $xenophobe_int When trying to ssh into the jail with a kernel exhibiting this problem, tcpdump showed that traffic was reaching the sshd in the jail and responses were being generated, but they didn't make it out onto the net.= Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig1E02B4FF191F794D27E05797 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlARkDQACgkQ8Mjk52CukIwuOgCbButGyCX4fMy5GtKyXM0+CVId 2NYAnA/fzZ+sodbnGZ7K8v3AldT36cpE =s2s8 -----END PGP SIGNATURE----- --------------enig1E02B4FF191F794D27E05797--