From owner-freebsd-bugs@freebsd.org Thu May 25 21:18:43 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0013BD8210B for ; Thu, 25 May 2017 21:18:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D8FE8109C for ; Thu, 25 May 2017 21:18:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v4PLIgE4076217 for ; Thu, 25 May 2017 21:18:42 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 219557] 11.0-RELEASE-p10 VIMAGE: udpv6 and tcpv6 blocked between master host and jail Date: Thu, 25 May 2017 21:18:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: michael@brokendns.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2017 21:18:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219557 Bug ID: 219557 Summary: 11.0-RELEASE-p10 VIMAGE: udpv6 and tcpv6 blocked between master host and jail Product: Base System Version: 11.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: michael@brokendns.net In 11.0-RELEASE-p10, IPv6 udp and tcp connectivity appears to be blocked between the host and guest jail. o ICMPv6 (e.g. ping) works in both directions o UDPv6 and TCPv6 are blocked in the direction master-host --> jail o If I try to initiate a TCP connection from the jail to the master host,= I can see the SYN from the jail on the master host and the SYN-ACK from the master host back to the jail. BUT the jail never responds to the SYN-ACK. o If I try to initiate a TCP connection from the master host to the jail,= I never see a SYN-ACK back from the jail. o UDPv6 and TCPv6 work fine from hosts outside of the master host (other ho= sts on the network) to the jail o UDPv4 and TCPv4 work fine between master host and jail o this problem is reproducible even if there is no firewall on the system (= i.e. no ipfw/pf/ipf modules even loaded into the kernel) o This problem DOES NOT occur on 10.3-RELEASE-p19 (r317835) o This problem DOES NOT occur on 11-STABLE (r318822) o The only version where I can reproduce it is 11-RELEASE-p10 (yes I am confused about that too) o I used the exact same /etc/jail.conf file and /etc/rc.conf (and kernel config) on all three versions, on the same hardware, and got the results described above. o I can also reproduce the problem on other hosts, with other IPv[46] addresses, running 11-RELEASE-p10 TO REPRODUCE: o Install 11-RELEASE-p10 from source, using a kernel config with the follow= ing diffs from GENERIC: *** GENERIC Thu Apr 6 14:39:44 2017 --- 11_VIMAGE Thu Apr 6 15:58:52 2017 *************** *** 357,359 **** --- 357,367 ---- # The crypto framework is required by IPSEC device crypto # Required by IPSEC + + options VIMAGE + device epair + device if_bridge + + # The nullFS to mount local directory + options NULLFS + o Configure network interfaces (igb0 in this case) statically for both IPv4= and IPv6. The following /etc/jail.conf: # Generated by rc.d/jail at 2015-09-17 14:57:23 allow.raw_sockets =3D "1"; testjail { host.hostname =3D "testjail"; path =3D "/jails/testjail"; vnet; vnet.interface =3D "epair0b"; exec.clean; exec.system_user =3D "root"; exec.jail_user =3D "root"; exec.prestart +=3D "ifconfig epair0 create up"; exec.prestart +=3D "ifconfig bridge0 addm igb0 addm epair0a"; exec.prestart +=3D "ifconfig epair0a up"; exec.poststop +=3D "ifconfig bridge0 delete epair0a"; exec.poststop +=3D "ifconfig epair0a destroy"; exec.start +=3D "/sbin/ifconfig lo0 up"; exec.start +=3D "/sbin/ifconfig epair0b inet /24 up"; exec.start +=3D "/sbin/ifconfig epair0b inet6 -ifdisabled"; exec.start +=3D "/sbin/ifconfig epair0b inet6 /64"; exec.start +=3D "/sbin/route add default "; exec.start +=3D "/sbin/route add -6 default "; exec.start +=3D "/sbin/ifconfig epair0b inet6 -ifdisabled"; exec.start +=3D "/sbin/ifconfig lo1 create"; exec.start +=3D "/sbin/ifconfig lo1 inet /32"; exec.start +=3D "/sbin/ifconfig lo1 inet6 prefixlen 128"; exec.start +=3D "/sbin/ifconfig lo1 down"; exec.start +=3D "/bin/sh /etc/rc"; exec.stop =3D "/bin/sh /etc/rc.shutdown"; exec.consolelog =3D "/var/log/jail_testjail_console.log"; mount.fstab =3D "/etc/jails/fstabs/testjail"; mount.devfs; allow.mount; allow.set_hostname =3D 1; allow.sysvipc =3D 0; } o Relevant configs in /etc/rc.conf: cloned_interfaces=3D"bridge0 lo1" ifconfig_bridge0=3D"up" jail_enable=3D"YES" jail_list=3D"testjail" I can share more configs and logs upon request. --=20 You are receiving this mail because: You are the assignee for the bug.=