From owner-svn-src-all@FreeBSD.ORG Fri Aug 3 03:44:07 2012 Return-Path: Delivered-To: svn-src-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B0766106564A; Fri, 3 Aug 2012 03:44:07 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) by mx1.freebsd.org (Postfix) with ESMTP id 7ED1D8FC12; Fri, 3 Aug 2012 03:44:05 +0000 (UTC) Received: from alph.allbsd.org (p2214-ipbf2707funabasi.chiba.ocn.ne.jp [123.225.119.214]) (authenticated bits=128) by mail.allbsd.org (8.14.5/8.14.5) with ESMTP id q733hi0H043605 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 3 Aug 2012 12:43:56 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) (authenticated bits=0) by alph.allbsd.org (8.14.5/8.14.5) with ESMTP id q733hgIj071122; Fri, 3 Aug 2012 12:43:44 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Fri, 03 Aug 2012 12:43:05 +0900 (JST) Message-Id: <20120803.124305.1981901625663633450.hrs@allbsd.org> To: emax@FreeBSD.org From: Hiroki Sato In-Reply-To: References: <501AF66A.8020804@FreeBSD.org> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.5 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart0(Fri_Aug__3_12_43_06_2012_941)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.4 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.allbsd.org [133.31.130.32]); Fri, 03 Aug 2012 12:43:56 +0900 (JST) X-Spam-Status: No, score=-96.6 required=13.0 tests=CONTENT_TYPE_PRESENT, ONLY1HOPDIRECT, QENCPTR1, RCVD_IN_RP_RNBL, SAMEHELOBY2HOP, USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gatekeeper.allbsd.org Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, dougb@FreeBSD.org, src-committers@FreeBSD.org Subject: Re: svn commit: r238622 - head/etc/rc.d X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2012 03:44:07 -0000 ----Security_Multipart0(Fri_Aug__3_12_43_06_2012_941)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Fri_Aug__3_12_43_05_2012_962)--" Content-Transfer-Encoding: 7bit ----Next_Part(Fri_Aug__3_12_43_05_2012_962)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Maksim Yevmenkin wrote in : em> of course :) we have ipv4 systems in production that make use of em> getaddrinfo(3) api. when a particular dns name is resolved, and, em> multiple A records are returned, the results get sorted according to em> the "default" address selection policy. rfc3484 has a set of rules em> according to which results should be sorted. all of the rules do not em> apply in our case, except one - the rule #9. the idea is that ipv4 em> addresses are "converted" to ipv6 addresses and then longest prefix em> match sorting is applied. in other words, if your system ip address em> happens to share high bits with the ip address from the A record, the em> IP address from the A record will always be preferred. of course, em> longest prefix match is performed without any extra information such em> as netmask and/or cidr. it really is just matching high bits of the em> address. em> em> so, what we found out, is that some systems tend to favor a particular em> ip address (from a bunch of ip addresses returned by name resolution) em> because 4 high bits were the same. basically, round-robin dns was em> completely shot. Is that issue solved by applying the attached patch and setting net.inet6.ip6.longestmatch_mapped=0? I do not think it is a good idea to use the empty rule to solve it because if the system has to support IPv6 as well the empty rule has negative effect. Adding flag to the IPv4 address line in the policy or adding a sysctl sounds a reasonable solution to me. -- Hiroki ----Next_Part(Fri_Aug__3_12_43_05_2012_962)-- Content-Type: Text/X-Patch; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ip6_longestmatch-20120802-1.diff" Index: sys/netinet6/in6_proto.c =================================================================== --- sys/netinet6/in6_proto.c (revision 238998) +++ sys/netinet6/in6_proto.c (working copy) @@ -587,6 +587,9 @@ SYSCTL_VNET_INT(_net_inet6_ip6, IPV6CTL_STEALTH, stealth, CTLFLAG_RW, &VNET_NAME(ip6stealth), 0, ""); #endif +SYSCTL_VNET_INT(_net_inet6_ip6, IPV6CTL_LONGESTMATCH_MAPPED, + longestmatch_mapped, CTLFLAG_RW, &VNET_NAME(ip6_longestmatch_mapped), 0, + "Use longest match prefix rule for IPv4-mapped address in addrsel."); #ifdef FLOWTABLE VNET_DEFINE(int, ip6_output_flowtable_size) = 2048; Index: sys/netinet6/in6.h =================================================================== --- sys/netinet6/in6.h (revision 238998) +++ sys/netinet6/in6.h (working copy) @@ -618,7 +618,8 @@ * receiving IF. */ #define IPV6CTL_RFC6204W3 50 /* Accept defroute even when forwarding enabled */ -#define IPV6CTL_MAXID 51 +#define IPV6CTL_LONGESTMATCH_MAPPED 51 +#define IPV6CTL_MAXID 52 #endif /* __BSD_VISIBLE */ /* Index: sys/netinet6/in6_src.c =================================================================== --- sys/netinet6/in6_src.c (revision 238998) +++ sys/netinet6/in6_src.c (working copy) @@ -126,6 +126,7 @@ #define V_defaultaddrpolicy VNET(defaultaddrpolicy) VNET_DEFINE(int, ip6_prefer_tempaddr) = 0; +VNET_DEFINE(int, ip6_longestmatch_mapped) = 1; static int selectroute __P((struct sockaddr_in6 *, struct ip6_pktopts *, struct ip6_moptions *, struct route_in6 *, struct ifnet **, @@ -452,11 +453,13 @@ * a large number so that it is easy to assign smaller numbers * to more preferred rules. */ + if (!IN6_IS_ADDR_V4MAPPED(&dst) || ip6_longestmatch_mapped) { new_matchlen = in6_matchlen(&ia->ia_addr.sin6_addr, &dst); if (best_matchlen < new_matchlen) REPLACE(14); if (new_matchlen < best_matchlen) NEXT(14); + } /* Rule 15 is reserved. */ Index: sys/netinet6/ip6_var.h =================================================================== --- sys/netinet6/ip6_var.h (revision 238998) +++ sys/netinet6/ip6_var.h (working copy) @@ -357,6 +357,9 @@ * zone when unspecified */ #define V_ip6_use_defzone VNET(ip6_use_defzone) +VNET_DECLARE(int, ip6_longestmatch_mapped); /* Use longest match for addrsel */ +#define V_ip6_longestmatch_mapped VNET(ip6_longestmatch_mapped) + VNET_DECLARE (struct pfil_head, inet6_pfil_hook); /* packet filter hooks */ #define V_inet6_pfil_hook VNET(inet6_pfil_hook) #ifdef IPSTEALTH ----Next_Part(Fri_Aug__3_12_43_05_2012_962)---- ----Security_Multipart0(Fri_Aug__3_12_43_06_2012_941)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAlAbSMoACgkQTyzT2CeTzy12ZwCguPG2rewLOtWCQahfy5pWED+z lR8An3GV8w0F3eB6/fAucl/4ACT1g+u4 =14dw -----END PGP SIGNATURE----- ----Security_Multipart0(Fri_Aug__3_12_43_06_2012_941)----