Date: Sat, 15 Oct 2011 21:49:25 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: FreeBSD Stable List <freebsd-stable@freebsd.org> Cc: qingli@freebsd.org Subject: IPv6 and aliases on loopback interfaces Message-ID: <4E99F1D5.7090108@infracaninophile.co.uk>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBAE7C7BF8FC17D597F2207AA Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable So, this morning I updated to the latest stable/8 on my desktop box as is my habit to do about fortnightly. Lo and behold, the jail I had configured hanging off the loopback interface suddenly stopped being able to communicate with the rest of the world. For reasons too trivial to be worth explaining, this jail only has IPv6 connectivity. After much bisecting of versions and building of kernels I tracked the problem down to r226240. http://svnweb.freebsd.org/base/stable/8/sys/netinet6/in6.c?r1=3D226235&r2= =3D226240 After that commit, if I have the following IPv6 config on lo0: lucid-nonsense:~:% ifconfig lo0 inet6 lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3D3<RXCSUM,TXCSUM> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0xc inet6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 prefixlen 128 Then the RFC4193 address becomes unpingable[*]: lucid-nonsense:~:% ping6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 PING6(56=3D40+8+8 bytes) fd87:cd50:2103:1:57f9:9484:e8b0:12d1 --> fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ^C --- fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss I can't tell from the commit if this is an intended consequence or not, but it seems a bit draconian if so. Surely this will cause problems for such well known techniques as Direct Server Return? Not to mention my favourite trick of hanging a jail off an internal interface where I can experiment with all sorts of potentially vulnerable network bits without exposing them to an external network. Cheers, Matthew [*] Ditto if I clone up a lo1 interface and move fd87:cd50:2103:1:57f9:9484:e8b0:12d1 to there. Works fine for 226239 or earlier, not for 226240 et seq. What's the point of being able to clone lo(4) if you can't usefully configure it with arbitrary addresses? --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigBAE7C7BF8FC17D597F2207AA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6Z8dwACgkQ8Mjk52CukIzLXACfWxElFWDrGbaWc4E5QmgfC+oL 6W8AoJR7OXbniKSGzfWP+BeclA/929cX =CSCI -----END PGP SIGNATURE----- --------------enigBAE7C7BF8FC17D597F2207AA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E99F1D5.7090108>