Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 Oct 2021 22:11:23 +0200
From:      Peter <pmc@citylink.dinoex.sub.org>
To:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: IPv6 inconsistent local routing
Message-ID:  <YXHJa/i9k9nFpKCE@gate.intra.daemon.contact>
In-Reply-To: <B5FA3AFF-1069-48B4-A749-0FE66647E64C@lists.zabbadoz.net>
References:  <YXBebUL0%2BEyOQ0V2@gate.intra.daemon.contact> <B5FA3AFF-1069-48B4-A749-0FE66647E64C@lists.zabbadoz.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 20, 2021 at 10:06:00PM +0000, Bjoern A. Zeeb wrote:

! > You might say, it does not usually make sense to route traffic local-to-
! > local over an IPadress of an outbound interface. But actually this
! > is common practice in e.g. failover scenarios, where you don't know
! > in the app configs if your address is currently local or not - you just
! > know it carries the service.
!=20
!=20
! There used to be:
!=20
! $ sysctl -d net.link.ether.inet.useloopback net.inet6.icmp6.nd6_useloopba=
ck
! net.link.ether.inet.useloopback: Use the loopback interface for local
! traffic
! net.inet6.icmp6.nd6_useloopback:
!=20
! which defined this bahviour.
!=20
! These were removed in/after the FreeBSD 10 times I think?
! I=E2=80=99d start looking from there.

Hi, thank you, yeah I found these. While pointing someway into that
rabbithole, it is actually a dead end at first: because, these options
influence the routing table, and they are now default-ON anyway.

Also, in my case, the routing table is correctly populated with lo0,
so this is not the problem. And, the routing table only considers
OUTgoing packets, and as we can see in my message above, my OUTgoing
packets are all fine and go via lo0.

It is the INcoming path that create this problem. Glancing further
thru the code, I find there is a "m_pkthdr.rcvif" variable from which
ipfw gets the incoming-interface info. But then that variable is
spread all over the whole networking code and gets used everywhere.
So unless one does already dwell in the networking code and kernel
debugger, this will be extensive labour to figure out.=20

But, I just found, the other way is just as ugly: when I move my stuff
to work via localhost, I need, among other things, also new kerberos
principals, because these then must read e.g. "postgres/localhost",
and must provide the correct principal to all concerned places. It's
alot of effort, and it's the wrong direction.

Normally, people thow their lamp-stack (or whatever) onto one machine,
configure it all as localhost, and everything works, and nothing is
modular and nothing is extensible. And then when they notice there is
a problem they have no clue and pay a lot of money for containers.
I started the other way round, always and only use the external
interface names (and don't mix these with the hostname, the hostname
is something entirely different and only relevant for mail, if at
all), configure everything onto these names, and then everything works
=66rom everywhere right from the beginning.
Except when ipfw gets these creepily mixed interface
tags. Ob-rant. Thanks for listening.

Cheerio,
PMc



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YXHJa/i9k9nFpKCE>