[Bug 212031] 11.0-RC1: vimage jail with ipfw flooded with repeated ipv6 packets

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Aug 21 20:00:43 UTC 2016


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212031

            Bug ID: 212031
           Summary: 11.0-RC1: vimage jail with ipfw flooded with repeated
                    ipv6 packets
           Product: Base System
           Version: 11.0-RC1
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: qjail1 at a1poweruser.com

Tested on 11.0-RC1 with only vimage compiled into the kernel.
Tested ipfw in vnet jail and no firewall on host.
Tested ipfw in vnet jail and on the host.



Testing no ipfw firewall running on host, just in vnet jail.

When starting vnet jail with ipfw, I check if ipfw kernel modules are
loaded, if not them I load them. Auto loading of modules does not happen.


No ipfw logging takes place in the vnet jail or on the host.

Issuing the "ipfw show" command from the started vnet jail console shows this
v84 /root >ipfw show
00050 0   0 check-state
00060 0   0 allow ip from any to any via lo0
00070 0   0 deny log tcp from any to any dst-port 43 out via epair26b
00080 0   0 allow log ip from any to any via epair26b keep-state
00090 0   0 allow log ip from any to any keep-state
00099 0   0 allow log ip from any to any


Issuing the "ping" command from the started vnet jail console works.

Issuing the "whois" command from the started vnet jail console does not work.
It just hangs until ctl/c to break free. But the "ipfw show" shows counts
incressing. This is because the whois command does a dns lookup first and
those packets are not blocked.

v84 /root >whois 8.8.8.8
^C
v84 /root >ipfw show
00050 0   0 check-state
00060 0   0 allow ip from any to any via lo0
00070 0   0 deny log tcp from any to any dst-port 43 out via epair26b
00080 3 180 allow log ip from any to any via epair26b keep-state
00090 0   0 allow log ip from any to any keep-state
00099 0   0 allow log ip from any to any
65535 4 320 deny ip from any to any

This would seem to indicate that the ipfw rules in a vnet jail are 
functioning even though there is no log file to view.



Testing ipfw firewall running on host and vnet jail.

Issuing the "ipfw show" command from the host console shows this
 /root >ipfw show
00001  0    0 check-state
00002  0    0 allow ip from any to any via lo0
00003  0    0 deny ip from 10.0.10.4 to any
00004 16 2192 allow log ip from any to any via fxp0 keep-state
00005  9  740 allow log ip from any to any keep-state
65535  0    0 deny ip from any to any

Issuing the "ipfw show" command from the started vnet jail
console shows this
v84 /root >ipfw show
00050 0   0 check-state
00060 0   0 allow ip from any to any via lo0
00070 0   0 deny log tcp from any to any dst-port 43 out via epair26b
00080 0   0 allow log ip from any to any via epair26b keep-state
00090 0   0 allow log ip from any to any keep-state
00099 0   0 allow log ip from any to any
65535 7 604 deny ip from any to any

Take note of the different rule numbers between the jail rules and the hosts
rules. This is done so I can tell in the ipfw log file who is issuing the
logged records.

The hosts ipfw log, logs this on vnet jail startup. 

 5 Accept ICMPv6:143.0 [::] [ff02::16] out via epair26a
 5 Accept ICMPv6:143.0 [::] [ff02::16] out via epair26a
 5 Accept ICMPv6:135.0 [::] [ff02::1:ff00:40a] out via epair26a
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:40a] [ff02::16] out via epair26a
80 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] out via epair26b
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] in via epair26a
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] in via epair26a
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] out via bridge0
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] out via fxp0
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] in via epair26a
 4 Accept UDP [fe80::d950:d6dc:db92:f20d]:546 [ff02::1:2]:547 in via fxp0
 4 Accept UDP [fe80::d950:d6dc:db92:f20d]:546 [ff02::1:2]:547 in via fxp0
 4 Accept UDP [fe80::d950:d6dc:db92:f20d]:546 [ff02::1:2]:547 out via bridge0
 4 Accept UDP [fe80::d950:d6dc:db92:f20d]:546 [ff02::1:2]:547 out via epair26a

These log messages are repeated in cycles for the whole time the vnet jail
is running. 

Issuing the "ping" command from the started vnet jail console works and the
hosts ipfw log shows this
80 Accept ICMP:8.0 10.26.0.2 8.8.8.8 out via epair26b
 5 Accept ICMP:8.0 10.26.0.2 8.8.8.8 in via epair26a
 5 Accept ICMP:8.0 10.26.0.2 8.8.8.8 out via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 in via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 in via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 out via bridge0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 out via epair26a
80 Accept ICMP:0.0 8.8.8.8 10.26.0.2 in via epair26b
80 Accept ICMP:8.0 10.26.0.2 8.8.8.8 out via epair26b
 5 Accept ICMP:8.0 10.26.0.2 8.8.8.8 in via epair26a
 5 Accept ICMP:8.0 10.26.0.2 8.8.8.8 out via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 in via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 in via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 out via bridge0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 out via epair26a

Issuing the "ipfw show" command from the started vnet jail
console after the ping command shows this
v84 /root >ipfw show
00050  0    0 check-state
00060  0    0 allow ip from any to any via lo0
00070  0    0 deny log tcp from any to any dst-port 43 out via epair26b
00080 45 5960 allow log ip from any to any via epair26b keep-state
00090  0    0 allow log ip from any to any keep-state
00099  0    0 allow log ip from any to any
65535  7  604 deny ip from any to any

Issuing the "ipfw show" command from the host console after the ping command
shows this
/root >ipfw show
00001   0     0 check-state
00002   0     0 allow ip from any to any via lo0
00003   0     0 deny ip from 10.0.10.4 to any
00004 242 29152 allow log ip from any to any via fxp0 keep-state
00005  33  2756 allow log ip from any to any keep-state
65535   0     0 deny ip from any to any

Issuing the "whois" command from the started vnet jail console works,
in that the command is blocked. This is what is shown
v84 /root >whois 8.8.8.8
whois: connect(): Operation timed out

Looks like things are working as expected.



Problems.
1. Why is the vnet jail issuing all that ipv6 traffic? This should only happen
if the vnet jail has a ipv6 address coded in this vnet jail’s jail.conf
definition. This flood of background nose slows down the vnet jail processing
of packets. This flood of ipv6 packets is also seen by the pf and ipfilter
firewalls when they are run in a vnet jail. Looks like vimage is doing this.

2. Why does ipfw in the vnet jail not log to a log file in the vnet jails   
/var/log directory? Having all the vnet jails log records intermingling with
each other and with the hosts log records in the hosts ipfw log file will soon
become unmanageable as users adds more vnet jails to the host.

3. To have vnet jail ipfw logging, the user is forced to also run ipfw on the
host.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list