From nobody Sun Jun 30 00:17:18 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WBV9b6Wbxz5Q7f6 for ; Sun, 30 Jun 2024 00:17:23 +0000 (UTC) (envelope-from leres@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WBV9b5zHcz4dM2 for ; Sun, 30 Jun 2024 00:17:23 +0000 (UTC) (envelope-from leres@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719706643; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HaXOuD06thCwcPPrXR2ZYPqlzcNalgMhRnwV7Xe8pYg=; b=lIK/uIDjzJ08kOe7P2XgXl5KgqOscm8yDaj0rOXx0NQ1er5ITGlsPJMUqg2L58i3djCxcb Pv6vXD7sc94NlRxOyggmEArtn2XzXLTB3+cS+Ak3CmpiBQlEsYcDTsOB5PKATcpNC/6mkM orL1f57wgmJRJ9+fk+80lWGcuNIUDhl7OAxteqDFpD084RA9J3mVQtxU5YEXXarTsvzRWx 2gNavF+JQzS/wGPVju4cHU4JFVjzkksWkn2oEeUesTTBPNlObLhncsgeNNFz/OGZk6oXtd kZVViw6MQxxlI05lCGnqcoiaZfuf8AcL1+Cs+7VjmRyLvDnZUBSJAZ1CUUOu3g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1719706643; a=rsa-sha256; cv=none; b=F0kXT6mvrm/86ljF/t8mAGIMJQ1CtlFcgqpzUHIAV4UXLx/HV7ckfeOOA98/yiWvIB5mGZ QWC9Gw1r2dtL7vqgJKG4VLXcBMHeV9r7PNJEsPRQ3XeQPFUrJD8t3ITRJOVigmBIJHT7wP /RWReUkjle+Mt4MTJB24vZshgF2T3hS0vVjUzMaF0B/98+V5gdS0FmueQlmQus5anZDYV+ IoidmMyXVn3itHJd9uHyoi7gYEvZI9cqA/ywATP764r7u9O3ktXJ7ndvRePx+ZE4ihKrJa QUQSNtdkcooYtVgm2lghTqGOArCIFp0M1iB6fs5UovL7ksIG4eJjjaB/taD4JQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719706643; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HaXOuD06thCwcPPrXR2ZYPqlzcNalgMhRnwV7Xe8pYg=; b=IBkv0A0JQ1tmAt3cOnzMQxV+XRNcAstrGfKkP7ymBIcZWCwBie38ZWdSwKmouHLVtWUArt +xZsz78u8muSySsjK4OSb5H21y06Xpcaj8eBosFidz9CUMx/4Q5pxFvNHoMB4Cyznb/BEr /DbkC/FrhauEdP5Hofdm7oXhMG42qAkf7IkiTnbWtdbcfrqD5ZwMXXlRjF/2hQQQMGVgN9 YEpuXtFUKluwrYLyU4aEtCCRdcVMBiqVlqEwtwTti/LVGaSKsaxw16xITgi/Pe4X6Ompvr ylJJshKp4E/yrSlokGxkNXD9dAtfBniQTOVn/zlBjs+viYtIX5UASiSPjFWUUQ== Received: from [IPV6:fd:1965::2] (unknown [IPv6:2600:1700:ab1b:6800:2e0:edff:fece:8f27]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: leres) by smtp.freebsd.org (Postfix) with ESMTPSA id 4WBV9b3z2szbL9 for ; Sun, 30 Jun 2024 00:17:23 +0000 (UTC) (envelope-from leres@freebsd.org) Message-ID: <086405e2-8fc2-4463-b8bb-d6c652745ae1@freebsd.org> Date: Sat, 29 Jun 2024 17:17:18 -0700 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Craig Leres Content-Language: en-US Subject: FreeBSD 14.x localhost source address To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit When I upgraded ~10 systems from 13.3 to 14.1 recently, 90%+ of my breakage was due to the localhost source address changing from 127.0.0.1 to 127.0.0.2. This was on two of my systems. My lo0 config is standard: mote 20 % ifconfig lo0 lo0: flags=1008049 metric 0 mtu 16384 options=680003 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 groups: lo nd6 options=21 What's different on the two problematic systems is that they are authoritative nameservers. Following best practices, I use the (bind) server for authoritative queries and unbound for recursive resolver duties. The way I did this was to configure unbound to listen on 127.0.0.2 and then change /etc/resolv.conf to use "nameserver 127.0.0.2". (Which reminds me of another 14.X breakage -- unbound is no longer able to provide me with authoritative sshfp records!) For 14.1 at least, this has the side effect that the source address for anything in the 127.0.0.0/8 domain becomes 127.0.0.2 instead of 127.0.0.1. Given a host that has unbound listening on 127.0.0.2: mote 133 # lsof -np `cat /usr/local/etc/unbound/unbound.pid` | fgrep domain unbound 39496 unbound 3u IPv4 0xfffff8001ee56000 0 UDP 127.0.0.2:domain->*:* unbound 39496 unbound 4u IPv4 0xfffff80037c2ea80 0 TCP 127.0.0.2:domain->*:* (LISTEN) you can see this with the iperf3 port. Start the server side with: iperf3 -s 127.0.0.1 and connect using: iperf3 -c 127.0.0.1 The server session will report: Accepted connection from 127.0.0.2, port 37306 I believe my configuration is far enough off the well-traveled path that I'm the first to notice this. But there are definitely some programs (e.g. sendmail/opendkim which appears to sign messages from 127.0.0.1 but not from 127.0.0.2!) that are hardwired to know about 127.0.0.1 and deal with it specially/differently... Craig