From nobody Mon Jul 1 22:53:16 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WChCt1s3Rz5QNMM for ; Mon, 01 Jul 2024 22:53:30 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WChCs3jnmz4GZF for ; Mon, 1 Jul 2024 22:53:29 +0000 (UTC) (envelope-from mike@jellydonut.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=jellydonut.org header.s=google header.b=V5yGN6gy; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@jellydonut.org designates 2a00:1450:4864:20::52f as permitted sender) smtp.mailfrom=mike@jellydonut.org Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-58b0beaf703so558808a12.2 for ; Mon, 01 Jul 2024 15:53:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jellydonut.org; s=google; t=1719874408; x=1720479208; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=haBTbLqGZ57SqDZTi0XioS5/wT6m8WDXEpTUu/dhWoA=; b=V5yGN6gy9GOpeevzHZwcN+hSDdC22PWD+Ggrdu+iSMiDBRcH5cySlh1jmyGbg39lz7 K93RTgtFFuhywcNd9r4OEp465dkgk9aDQlHVzSZxUkq1DPRfHdSmRBz05xvgVbO78l+G 2nuRTRauAKIzAHT21RUktXdL7Mi/BXhO3+qWs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719874408; x=1720479208; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=haBTbLqGZ57SqDZTi0XioS5/wT6m8WDXEpTUu/dhWoA=; b=Q5pjOVmCPkuv/h3aNCKyEAo0p7taZNDy1MUGOWlafaJ6H6owgcSwY5Wp4yA+df2fhI MHUMqdabBYkifCbwtZkYzA1arqVfqNkYOe9i1fK/L9haw3nMiYAtUNWVy/OHkKIIMndX YdiP8OHYNeiErIJkzJOdv5SakSYpyUdBchlQkuor3H4B93L+VCvaXu4uneYMdeKJipaV pmNvyNY+1ZIPHcxbtJqLfa2n182PrnwjXyRju6tRMDAGC07KuclypeZS/3wWDqNt/x2O WtxbTo08m0lK43KnfZG1/NFVmHb3VLzGSSCdv49G0jIEHBFHPv++BlfIyaeYxatP2IFv S+vg== X-Gm-Message-State: AOJu0YxfIyLuZHbnDkRZNH3j11gb0HRtJ9N9GZ7jjDPeT5E6O4K+lQ1J hASNVBXVHZExqF75rIxXj0qP8tEnOhEYUAIE4UtxEWOowVQ8YEAECUQoSKdo0LEutFPnhB152FG zX2ywhkDUbV2NnFUzGPbk+eW05tnENovpuoVU X-Google-Smtp-Source: AGHT+IF0uO2UWWTSF2elnUOaeaFf+E4ZQWE3a3O5Pw5Fd9GQuCoKNvEHSrCqihSk3uIhB2c7K6BHMLBwsGV5WaWO/fE= X-Received: by 2002:a05:6402:2786:b0:582:7e6d:6816 with SMTP id 4fb4d7f45d1cf-5879f0c6348mr5122790a12.8.1719874407739; Mon, 01 Jul 2024 15:53:27 -0700 (PDT) List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org MIME-Version: 1.0 References: <086405e2-8fc2-4463-b8bb-d6c652745ae1@freebsd.org> In-Reply-To: <086405e2-8fc2-4463-b8bb-d6c652745ae1@freebsd.org> From: Michael Proto Date: Mon, 1 Jul 2024 18:53:16 -0400 Message-ID: Subject: Re: FreeBSD 14.x localhost source address To: Craig Leres Cc: freebsd-stable@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; R_DKIM_ALLOW(-0.20)[jellydonut.org:s=google]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[text/plain]; FREEFALL_USER(0.00)[mike]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[jellydonut.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::52f:from]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[jellydonut.org:+] X-Rspamd-Queue-Id: 4WChCs3jnmz4GZF On Sat, Jun 29, 2024 at 8:17=E2=80=AFPM Craig Leres wro= te: > > When I upgraded ~10 systems from 13.3 to 14.1 recently, 90%+ of my > breakage was due to the localhost source address changing from 127.0.0.1 > to 127.0.0.2. This was on two of my systems. > > My lo0 config is standard: > > mote 20 % ifconfig lo0 > lo0: flags=3D1008049 metric = 0 > mtu 16384 > options=3D680003 > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 > groups: lo > nd6 options=3D21 > > What's different on the two problematic systems is that they are > authoritative nameservers. Following best practices, I use the (bind) > server for authoritative queries and unbound for recursive resolver > duties. The way I did this was to configure unbound to listen on > 127.0.0.2 and then change /etc/resolv.conf to use "nameserver > 127.0.0.2". (Which reminds me of another 14.X breakage -- unbound is no > longer able to provide me with authoritative sshfp records!) > > For 14.1 at least, this has the side effect that the source address for > anything in the 127.0.0.0/8 domain becomes 127.0.0.2 instead of 127.0.0.1= . > > Given a host that has unbound listening on 127.0.0.2: > > mote 133 # lsof -np `cat /usr/local/etc/unbound/unbound.pid` | > fgrep domain > unbound 39496 unbound 3u IPv4 0xfffff8001ee56000 0 > UDP 127.0.0.2:domain->*:* > unbound 39496 unbound 4u IPv4 0xfffff80037c2ea80 0 > TCP 127.0.0.2:domain->*:* (LISTEN) > > you can see this with the iperf3 port. Start the server side with: > > iperf3 -s 127.0.0.1 > > and connect using: > > iperf3 -c 127.0.0.1 > > The server session will report: > > Accepted connection from 127.0.0.2, port 37306 > > I believe my configuration is far enough off the well-traveled path that > I'm the first to notice this. But there are definitely some programs > (e.g. sendmail/opendkim which appears to sign messages from 127.0.0.1 > but not from 127.0.0.2!) that are hardwired to know about 127.0.0.1 and > deal with it specially/differently... > > Craig > What netmask are you using for 127.0.0.2? I'd treat it as I would an IP alias (only on localhost) with a /32 netmask, should keep it isolated. Just tried it myself on a test box and iperf works as expected, using 127.0.0.1 as the source when connecting. -Proto