From owner-freebsd-questions@freebsd.org  Fri Dec 11 16:16:26 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 93E464B3D71
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Fri, 11 Dec 2020 16:16:26 +0000 (UTC)
 (envelope-from jacques+freebsd@foucry.net)
Received: from mail.foucry.net (mail.foucry.net [IPv6:2a01:4f9:4a:1fd8::17])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Cswrn51pPz4YY9
 for <freebsd-questions@freebsd.org>; Fri, 11 Dec 2020 16:16:25 +0000 (UTC)
 (envelope-from jacques+freebsd@foucry.net)
Received: from mail.foucry.net (unknown [192.168.12.17])
 by mail.foucry.net (Postfix) with ESMTP id CDA1930BE4
 for <freebsd-questions@freebsd.org>; Fri, 11 Dec 2020 16:16:16 +0000 (UTC)
X-Virus-Scanned: amavisd-new at foucry.net
Received: from mail.foucry.net ([192.168.12.17])
 by mail.foucry.net (mail.foucry.net [192.168.12.17]) (amavisd-new, port 10024)
 with ESMTP id 10g7yHOZgrnE for <freebsd-questions@freebsd.org>;
 Fri, 11 Dec 2020 16:16:02 +0000 (UTC)
Received: by mail.foucry.net (Postfix, from userid 58)
 id 77DEA30BC2; Fri, 11 Dec 2020 16:16:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim;
 t=1607703362; bh=YL/IAGt5ucatIWf0iMgDycrgLMCuqHhWGwwjrN8+gqA=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To;
 b=pj34QqlC0ZKMhELMUY0y9pq8B7xJJ25KQXWvx4NLtj2dfeyTqrkH9k4N/fBj3+sdB
 KAiCby4qAtNMpFGY/6VjvASpX+8oTilOesYldad3LIy0uG1b75UtFUKI+OD+qf42yY
 B8I/oBMVkR+IFB0R2dmu9i/yC28ypLS/+MxNtEsk=
Received: from mithril.localdomain (unknown
 [IPv6:2a01:cb10:8e64:fe00:4aa4:72ff:fe9e:65a1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (2048 bits) server-digest
 SHA256) (No client certificate requested)
 by mail.foucry.net (Postfix) with ESMTPSA id E5AAA30BBE;
 Fri, 11 Dec 2020 16:15:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim;
 t=1607703360; bh=YL/IAGt5ucatIWf0iMgDycrgLMCuqHhWGwwjrN8+gqA=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To;
 b=VfHbg8N3D4/K53dMZGYIXz6iQmAAcgzUmYSRh3H68/yScXYjvoKUL+oJHrAl/svz9
 Y+XXEP/kojdKvTRbmopmA6EP5OBNB3f4f5KRvJFMpK6kKPRn/IUBgi+VUIu8coNzVJ
 tHUZVRBAt4v3JAfewlbIDxUKQc+e7KKoUZPGCgcg=
Received: from mithril (localhost [IPv6:::1])
 by mithril.localdomain (Postfix) with ESMTP id 145A4E2C;
 Fri, 11 Dec 2020 17:15:59 +0100 (CET)
Date: Fri, 11 Dec 2020 17:15:59 +0100
From: Jacques Foucry <jacques+freebsd@foucry.net>
To: freebsd-questions@freebsd.org
Cc: satanist <satanist+freebsd@bureaucracy.de>
Subject: Re: Jail, VNET and IPv6
Message-ID: <X9ObP/ns9wD00rqj@mithril>
Mail-Followup-To: freebsd-questions@freebsd.org,
 satanist <satanist+freebsd@bureaucracy.de>
References: <X9HqnHRReRE34Nw5@mithril>
 <614a17bac6f5e561@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <614a17bac6f5e561@localhost>
X-Rspamd-Queue-Id: 4Cswrn51pPz4YY9
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=foucry.net header.s=dkim header.b=pj34QqlC;
 dkim=pass header.d=foucry.net header.s=dkim header.b=VfHbg8N3;
 dmarc=pass (policy=none) header.from=foucry.net;
 spf=pass (mx1.freebsd.org: domain of jacques@foucry.net designates
 2a01:4f9:4a:1fd8::17 as permitted sender) smtp.mailfrom=jacques@foucry.net
X-Spamd-Result: default: False [-1.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx];
 DKIM_TRACE(0.00)[foucry.net:+]; RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[foucry.net,none];
 NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[];
 RCVD_TLS_LAST(0.00)[];
 RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:4f9:4a:1fd8::17:from];
 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
 MIME_TRACE(0.00)[0:+]; TAGGED_FROM(0.00)[freebsd];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 RCVD_COUNT_FIVE(0.00)[6];
 R_DKIM_ALLOW(-0.20)[foucry.net:s=dkim]; FROM_HAS_DN(0.00)[];
 TAGGED_RCPT(0.00)[freebsd]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 SPAMHAUS_ZRD(0.00)[2a01:4f9:4a:1fd8::17:from:127.0.2.255];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000];
 MID_RHS_NOT_FQDN(0.50)[]; MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 16:16:26 -0000

Le jeudi 10 déc. 2020 à 20:37:28 (+0100), satanist à écrit:
> Hi Jacques
> 
> [2020-12-10 10:30] Jacques Foucry <jacques+freebsd@foucry.net>
> > I manage on a hosted server many « clasical » jail with ip adresses as alias of
> > em0.
> >
> > I would like to make a new jail, but using VNET and ipv6. All my tries failed
> > :-( IPv4 work great but IPv6 not.
> 
> Would be nice if you share the concept of your network setup. As far as
> I have understand from your mail it looks like this:
> 
>                                        ------------
>                                        | Jail     |
> [em0] <-> [bridge0] <-> [epair10a] <-> |[epair10b]|


That it!

>                                        ------------
> > netstat -rn
> > [v4output]
> >
> > Internet6:
> > Destination                       Gateway                       Flags     Netif Expire
> > [v6routes]
> > 2a01:4f9:4a:1fd8::/64             link#1                        U           em0
> 
> I think here is the problem. You have the route to your jail on the em0
> interface and not on the bridge. Handbook[0] says:
> 
> > If the bridge host needs an IP address, set it on the bridge interface,
> > not on the member interfaces.
> 
> I would asume this is also true for routes. I asume if you _send_ packages
> on em0 they never reache the bridge.


So I need to add an IPv6 to the bridge and use it as default router for mや
jail if I correctly understand.
> 
> > ifconfig
> > em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
> > 	options=81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
> > 	ether b4:2e:99:6a:80:9d
> > 	inet6 2a01:4f9:4a:1fd8::2 prefixlen 64
> > 	inet6 fe80::b62e:99ff:fe6a:809d%em0 prefixlen 64 scopeid 0x1
> > 	inet6 2a01:4f9:4a:1fd8::16 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::21 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::12 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::29 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::15 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::11 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::22 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::17 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::28 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::18 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::19 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::25 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::5 prefixlen 64
> > 	inet6 2a01:4f9:4a:1fd8::14 prefixlen 64
> > 	inet 95.217.83.231 netmask 0xffffffc0 broadcast 95.217.83.255
> > 	media: Ethernet autoselect (1000baseT <full-duplex>)
> > 	status: active
> > 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> > [other interfaces]
> > bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> > 	description: vnet-jail-bridge
> > 	ether 02:36:b3:c1:8a:00
> > 	inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
> > 	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> > 	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> > 	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> > 	member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> > 	        ifmaxaddr 0 port 1 priority 128 path cost 20000
> > 	groups: bridge
> > 	nd6 options=1<PERFORMNUD>
> 
> For v6 the adresses are on em0 for v4 they are on bridge0. Therefore
> v4 works but v6 don't.


All the v6 attached to em0 are "classical" jail, wihout VNET.
> 
> > As you can see thereis a bridge (bridg0) with an IPv4 10.0.0.1/24. PF assume
> > the nat fonction for this range to 10.0.010/24 the new jail IPv4.
> 
> Thise seames strange. You bridge your internal network to the external,
> but also NAT the internel Network. This has some odd side effects. Your
> Jails can ackt like a Host on your upstream-network and every host on
> your upstream-network can ackt like it's just an other jail.
> 
> > [jail config]
> >    exec.start       += "/sbin/ifconfig epair${id}b ${ipaddr} netmask ${mask} up";
> > [...]
> >
> > epair10a on the host:
> >
> > epair10a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
> > 	description: vnet-jitsi
> > 	options=8<VLAN_MTU>
> > 	ether 02:dc:c8:b1:ac:0a
> > 	inet6 fe80::dc:c8ff:feb1:ac0a%epair10a prefixlen 64 scopeid 0x6
> > 	groups: epair
> > 	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
> > 	status: active
> > 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> 
> Again the problem with addresses on interfaces in a bridge.
> 
> > I must miss something, or misunderstood something…
> >
> > Any advices are welcome. 
> 
> If you want to continue with a bridged setup I would say you need to
> move the ipv6 config from em0 to bridge0. I would recommend to switch
> to a routed setup.
> 
> satanist
> 
> [0] https://www.freebsd.org/doc/handbook/network-bridging.html


Thanks for your advice and pointers, I will check that.

Regards, and take care.
-- 
Jacques Foucry