From owner-freebsd-stable@FreeBSD.ORG Sat Oct 15 20:49:39 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F2B2106564A; Sat, 15 Oct 2011 20:49:39 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 7C38B8FC0A; Sat, 15 Oct 2011 20:49:38 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id p9FKnW0j003215 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sat, 15 Oct 2011 21:49:33 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p9FKnW0j003215 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1318711773; bh=NngaAUEne20y6B/yG7WWqy1HsRuKmO8Y/VQDHlkrZRE=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:Content-Type:Cc: Content-Type:Date:From:In-Reply-To:Message-ID:Mime-Version: References:To; z=Message-ID:=20<4E99F1D5.7090108@infracaninophile.co.uk>|Date:=20S at,=2015=20Oct=202011=2021:49:25=20+0100|From:=20Matthew=20Seaman= 20|User-Agent:=20Mozilla/5.0=20(M acintosh=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20rv:7.0.1)=20Gecko/2 0110929=20Thunderbird/7.0.1|MIME-Version:=201.0|To:=20FreeBSD=20St able=20List=20|CC:=20qingli@freebsd.or g|Subject:=20IPv6=20and=20aliases=20on=20loopback=20interfaces|X-E nigmail-Version:=201.3.2|OpenPGP:=20id=3D60AE908C|Content-Type:=20 multipart/signed=3B=20micalg=3Dpgp-sha1=3B=0D=0A=20protocol=3D"app lication/pgp-signature"=3B=0D=0A=20boundary=3D"------------enigBAE 7C7BF8FC17D597F2207AA"; b=KxUojTwNK3udrHyV/Ew0v70wkp5ZQsCz/6CsIhFmZGkHSQ+oyvXViZanYnh55DS6B MpLA1zLfVt+79/XmZV4vRhBqO/rReiY4uiR3zakFr/5lOUmceuiVsjF16KuLmJYuvb Ro5BOjVvdyvJPLpoRLDA8N0d+HNtifMYyfiE4R7M= Message-ID: <4E99F1D5.7090108@infracaninophile.co.uk> Date: Sat, 15 Oct 2011 21:49:25 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: FreeBSD Stable List X-Enigmail-Version: 1.3.2 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigBAE7C7BF8FC17D597F2207AA" X-Virus-Scanned: clamav-milter 0.97.2 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, SINGLE_HEADER_1K, SPF_FAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: qingli@freebsd.org Subject: IPv6 and aliases on loopback interfaces X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Oct 2011 20:49:39 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBAE7C7BF8FC17D597F2207AA Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable So, this morning I updated to the latest stable/8 on my desktop box as is my habit to do about fortnightly. Lo and behold, the jail I had configured hanging off the loopback interface suddenly stopped being able to communicate with the rest of the world. For reasons too trivial to be worth explaining, this jail only has IPv6 connectivity. After much bisecting of versions and building of kernels I tracked the problem down to r226240. http://svnweb.freebsd.org/base/stable/8/sys/netinet6/in6.c?r1=3D226235&r2= =3D226240 After that commit, if I have the following IPv6 config on lo0: lucid-nonsense:~:% ifconfig lo0 inet6 lo0: flags=3D8049 metric 0 mtu 16384 options=3D3 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0xc inet6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 prefixlen 128 Then the RFC4193 address becomes unpingable[*]: lucid-nonsense:~:% ping6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 PING6(56=3D40+8+8 bytes) fd87:cd50:2103:1:57f9:9484:e8b0:12d1 --> fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ^C --- fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss I can't tell from the commit if this is an intended consequence or not, but it seems a bit draconian if so. Surely this will cause problems for such well known techniques as Direct Server Return? Not to mention my favourite trick of hanging a jail off an internal interface where I can experiment with all sorts of potentially vulnerable network bits without exposing them to an external network. Cheers, Matthew [*] Ditto if I clone up a lo1 interface and move fd87:cd50:2103:1:57f9:9484:e8b0:12d1 to there. Works fine for 226239 or earlier, not for 226240 et seq. What's the point of being able to clone lo(4) if you can't usefully configure it with arbitrary addresses? --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigBAE7C7BF8FC17D597F2207AA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6Z8dwACgkQ8Mjk52CukIzLXACfWxElFWDrGbaWc4E5QmgfC+oL 6W8AoJR7OXbniKSGzfWP+BeclA/929cX =CSCI -----END PGP SIGNATURE----- --------------enigBAE7C7BF8FC17D597F2207AA--