Date: Sat, 15 Oct 2011 15:44:43 -0700 From: Qing Li <qingli@freebsd.org> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: FreeBSD Stable List <freebsd-stable@freebsd.org> Subject: Re: IPv6 and aliases on loopback interfaces Message-ID: <CAGnGRdJiaPSfHBi0JkMf=6bYVPUPDD7t=Ma2TB8LeDZpH_UsxQ@mail.gmail.com> In-Reply-To: <4E99F1D5.7090108@infracaninophile.co.uk> References: <4E99F1D5.7090108@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
I uploaded a patch last night for this issue, it's sitting at http://people.freebsd.org/~qingli/in6.c.diff --Qing On Sat, Oct 15, 2011 at 1:49 PM, Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote: > > So, this morning I updated to the latest stable/8 on my desktop box as > is my habit to do about fortnightly. =A0Lo and behold, the jail I had > configured hanging off the loopback interface suddenly stopped being > able to communicate with the rest of the world. =A0For reasons too trivia= l > to be worth explaining, this jail only has IPv6 connectivity. > > After much bisecting of versions and building of kernels I tracked the > problem down to r226240. > > http://svnweb.freebsd.org/base/stable/8/sys/netinet6/in6.c?r1=3D226235&r2= =3D226240 > > After that commit, if I have the following IPv6 config on lo0: > > lucid-nonsense:~:% ifconfig lo0 inet6 > lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > =A0 =A0 =A0 =A0options=3D3<RXCSUM,TXCSUM> > =A0 =A0 =A0 =A0inet6 ::1 prefixlen 128 > =A0 =A0 =A0 =A0inet6 fe80::1%lo0 prefixlen 64 scopeid 0xc > =A0 =A0 =A0 =A0inet6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 prefixlen 128 > > Then the RFC4193 address becomes unpingable[*]: > > lucid-nonsense:~:% ping6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 > PING6(56=3D40+8+8 bytes) fd87:cd50:2103:1:57f9:9484:e8b0:12d1 --> > fd87:cd50:2103:1:57f9:9484:e8b0:12d1 > ^C > --- fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ping6 statistics --- > 3 packets transmitted, 0 packets received, 100.0% packet loss > > I can't tell from the commit if this is an intended consequence or not, > but it seems a bit draconian if so. =A0Surely this will cause problems fo= r > such well known techniques as Direct Server Return? =A0Not to mention my > favourite trick of hanging a jail off an internal interface where I can > experiment with all sorts of potentially vulnerable network bits without > exposing them to an external network. > > =A0 =A0 =A0 =A0Cheers, > > =A0 =A0 =A0 =A0Matthew > > [*] Ditto if I clone up a lo1 interface and move > fd87:cd50:2103:1:57f9:9484:e8b0:12d1 to there. =A0Works fine for 226239 o= r > earlier, not for 226240 et seq. =A0What's the point of being able to clon= e > lo(4) if you can't usefully configure it with arbitrary addresses? > > -- > Dr Matthew J Seaman MA, D.Phil. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 7 Pri= ory Courtyard > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey =A0 =A0 Ramsgate > JID: matthew@infracaninophile.co.uk =A0 =A0 =A0 =A0 =A0 =A0 =A0 Kent, CT1= 1 9PW > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGnGRdJiaPSfHBi0JkMf=6bYVPUPDD7t=Ma2TB8LeDZpH_UsxQ>