thr3ads.net - freebsd stable - IPv6 and aliases on loopback interfaces [Oct 2011]

If this information is useful, please help other people find it:
Share via:

Matthew Seaman

2011-Oct-15 20:49 UTC

IPv6 and aliases on loopback interfaces

So, this morning I updated to the latest stable/8 on my desktop box as
is my habit to do about fortnightly.  Lo and behold, the jail I had
configured hanging off the loopback interface suddenly stopped being
able to communicate with the rest of the world.  For reasons too trivial
to be worth explaining, this jail only has IPv6 connectivity.

After much bisecting of versions and building of kernels I tracked the
problem down to r226240.

http://svnweb.freebsd.org/base/stable/8/sys/netinet6/in6.c?r1=226235&r2=226240

After that commit, if I have the following IPv6 config on lo0:

lucid-nonsense:~:% ifconfig lo0 inet6
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0xc
	inet6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 prefixlen 128

Then the RFC4193 address becomes unpingable[*]:

lucid-nonsense:~:% ping6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1
PING6(56=40+8+8 bytes) fd87:cd50:2103:1:57f9:9484:e8b0:12d1 -->
fd87:cd50:2103:1:57f9:9484:e8b0:12d1
^C
--- fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

I can't tell from the commit if this is an intended consequence or not,
but it seems a bit draconian if so.  Surely this will cause problems for
such well known techniques as Direct Server Return?  Not to mention my
favourite trick of hanging a jail off an internal interface where I can
experiment with all sorts of potentially vulnerable network bits without
exposing them to an external network.

	Cheers,

	Matthew

[*] Ditto if I clone up a lo1 interface and move
fd87:cd50:2103:1:57f9:9484:e8b0:12d1 to there.  Works fine for 226239 or
earlier, not for 226240 et seq.  What's the point of being able to clone
lo(4) if you can't usefully configure it with arbitrary addresses?

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20111015/f062e84e/signature.pgp

Qing Li

2011-Oct-15 23:09 UTC

head link

IPv6 and aliases on loopback interfaces

I uploaded a patch last night for this issue, it's sitting at

   http://people.freebsd.org/~qingli/in6.c.diff

--Qing


On Sat, Oct 15, 2011 at 1:49 PM, Matthew Seaman
<m.seaman@infracaninophile.co.uk> wrote:>
> So, this morning I updated to the latest stable/8 on my desktop box as
> is my habit to do about fortnightly. ?Lo and behold, the jail I had
> configured hanging off the loopback interface suddenly stopped being
> able to communicate with the rest of the world. ?For reasons too trivial
> to be worth explaining, this jail only has IPv6 connectivity.
>
> After much bisecting of versions and building of kernels I tracked the
> problem down to r226240.
>
>
http://svnweb.freebsd.org/base/stable/8/sys/netinet6/in6.c?r1=226235&r2=226240
>
> After that commit, if I have the following IPv6 config on lo0:
>
> lucid-nonsense:~:% ifconfig lo0 inet6
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> ? ? ? ?options=3<RXCSUM,TXCSUM>
> ? ? ? ?inet6 ::1 prefixlen 128
> ? ? ? ?inet6 fe80::1%lo0 prefixlen 64 scopeid 0xc
> ? ? ? ?inet6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 prefixlen 128
>
> Then the RFC4193 address becomes unpingable[*]:
>
> lucid-nonsense:~:% ping6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1
> PING6(56=40+8+8 bytes) fd87:cd50:2103:1:57f9:9484:e8b0:12d1 -->
> fd87:cd50:2103:1:57f9:9484:e8b0:12d1
> ^C
> --- fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ping6 statistics ---
> 3 packets transmitted, 0 packets received, 100.0% packet loss
>
> I can't tell from the commit if this is an intended consequence or not,
> but it seems a bit draconian if so. ?Surely this will cause problems for
> such well known techniques as Direct Server Return? ?Not to mention my
> favourite trick of hanging a jail off an internal interface where I can
> experiment with all sorts of potentially vulnerable network bits without
> exposing them to an external network.
>
> ? ? ? ?Cheers,
>
> ? ? ? ?Matthew
>
> [*] Ditto if I clone up a lo1 interface and move
> fd87:cd50:2103:1:57f9:9484:e8b0:12d1 to there. ?Works fine for 226239 or
> earlier, not for 226240 et seq. ?What's the point of being able to
clone
> lo(4) if you can't usefully configure it with arbitrary addresses?
>
> --
> Dr Matthew J Seaman MA, D.Phil. ? ? ? ? ? ? ? ? ? 7 Priory Courtyard
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey ? ? Ramsgate
> JID: matthew@infracaninophile.co.uk ? ? ? ? ? ? ? Kent, CT11 9PW
>
>

freebsd stable - Oct 2011 - IPv6 and aliases on loopback interfaces

IPv6 and aliases on loopback interfaces

IPv6 and aliases on loopback interfaces