[Bug 219557] 11.0-RELEASE-p10 VIMAGE: udpv6 and tcpv6 blocked between master host and jail
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu May 25 21:18:43 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219557
Bug ID: 219557
Summary: 11.0-RELEASE-p10 VIMAGE: udpv6 and tcpv6 blocked
between master host and jail
Product: Base System
Version: 11.0-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: michael at brokendns.net
In 11.0-RELEASE-p10, IPv6 udp and tcp connectivity appears to be blocked
between the host and guest jail.
o ICMPv6 (e.g. ping) works in both directions
o UDPv6 and TCPv6 are blocked in the direction master-host --> jail
o If I try to initiate a TCP connection from the jail to the master host, I
can see the SYN from the jail on the master host and the SYN-ACK from the
master host back to the jail. BUT the jail never responds to the SYN-ACK.
o If I try to initiate a TCP connection from the master host to the jail, I
never see a SYN-ACK back from the jail.
o UDPv6 and TCPv6 work fine from hosts outside of the master host (other hosts
on the network) to the jail
o UDPv4 and TCPv4 work fine between master host and jail
o this problem is reproducible even if there is no firewall on the system (i.e.
no ipfw/pf/ipf modules even loaded into the kernel)
o This problem DOES NOT occur on 10.3-RELEASE-p19 (r317835)
o This problem DOES NOT occur on 11-STABLE (r318822)
o The only version where I can reproduce it is 11-RELEASE-p10 (yes I am
confused about that too)
o I used the exact same /etc/jail.conf file and /etc/rc.conf (and kernel
config) on all three versions, on the same hardware, and got the results
described above.
o I can also reproduce the problem on other hosts, with other IPv[46]
addresses, running 11-RELEASE-p10
TO REPRODUCE:
o Install 11-RELEASE-p10 from source, using a kernel config with the following
diffs from GENERIC:
*** GENERIC Thu Apr 6 14:39:44 2017
--- 11_VIMAGE Thu Apr 6 15:58:52 2017
***************
*** 357,359 ****
--- 357,367 ----
# The crypto framework is required by IPSEC
device crypto # Required by IPSEC
+
+ options VIMAGE
+ device epair
+ device if_bridge
+
+ # The nullFS to mount local directory
+ options NULLFS
+
o Configure network interfaces (igb0 in this case) statically for both IPv4 and
IPv6.
The following /etc/jail.conf:
# Generated by rc.d/jail at 2015-09-17 14:57:23
allow.raw_sockets = "1";
testjail {
host.hostname = "testjail";
path = "/jails/testjail";
vnet;
vnet.interface = "epair0b";
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
exec.prestart += "ifconfig epair0 create up";
exec.prestart += "ifconfig bridge0 addm igb0 addm epair0a";
exec.prestart += "ifconfig epair0a up";
exec.poststop += "ifconfig bridge0 delete epair0a";
exec.poststop += "ifconfig epair0a destroy";
exec.start += "/sbin/ifconfig lo0 up";
exec.start += "/sbin/ifconfig epair0b inet <ipv4>/24 up";
exec.start += "/sbin/ifconfig epair0b inet6 -ifdisabled";
exec.start += "/sbin/ifconfig epair0b inet6 <ipv6>/64";
exec.start += "/sbin/route add default <v4gw>";
exec.start += "/sbin/route add -6 default <v6gw>";
exec.start += "/sbin/ifconfig epair0b inet6 -ifdisabled";
exec.start += "/sbin/ifconfig lo1 create";
exec.start += "/sbin/ifconfig lo1 inet <separate-svc-address>/32";
exec.start += "/sbin/ifconfig lo1 inet6 <separate svc-address>
prefixlen 128";
exec.start += "/sbin/ifconfig lo1 down";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_testjail_console.log";
mount.fstab = "/etc/jails/fstabs/testjail";
mount.devfs;
allow.mount;
allow.set_hostname = 1;
allow.sysvipc = 0;
}
o Relevant configs in /etc/rc.conf:
cloned_interfaces="bridge0 lo1"
ifconfig_bridge0="up"
jail_enable="YES"
jail_list="testjail"
I can share more configs and logs upon request.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list