[Bug 233341] 12.0-RC1 i386 vnet does not behave like the amd64 vnet version.

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Nov 19 21:50:13 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233341

            Bug ID: 233341
           Summary: 12.0-RC1 i386 vnet does not behave like the amd64 vnet
                    version.
           Product: Base System
           Version: 12.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: qjail1 at a1poweruser.com

Created attachment 199362
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=199362&action=edit
pflog from host

symptoms= i386 vnet does not behave like the amd64 vnet version. The i386
version is flooding the host pflog with ipv4 MULTICAST requests and ipv6
Neighborhood requests. The amd64 version doesn't do that. On the i386 system
with all the vnet jails stopped and then issuing the shutdown command the
system takes a dump only if vnet jails had been started/stopped. This does not
happen on a amd64 system. 

Configuration = I386 box running pf firewall with very simple rules that pass
and log all traffic. This I386 box is on private lan so no nat being done. Has
vnet jail running pf firewall with very simple rules that pass and log all
traffic.

Host config =
  rc.conf 
    ifconfig_xl0="DHCP"
    pf_enable="YES"                
    pflog_enable="YES"                
    pf_rules="/etc/pf.rules.host"    
    pflog_logfile="/var/log/pflog"   

  pf.rules.host
    oif = "xl0"
    set block-policy drop 
    set state-policy if-bound 
    set loginterface $oif
    scrub out on $oif all random-id
    scrub reassemble tcp
    set skip on lo0
    pass out log (all) quick
    pass in  log (all) quick

Vnet jail configuration
  rc.conf
    gateway_enable="YES"
    pf_enable="YES"
    pf_rules="/etc/pf.conf"
    pflog_enable="YES"
    pflog_logfile="/var/log/pflog"

  pf.conf
    oif=epair1b
    set block-policy drop
    set fail-policy drop
    set state-policy if-bound
    scrub in on $oif all
    set skip on lo0
    block out log quick on $oif inet proto tcp from any to any port 43
    pass out log (all) quick
    pass in  log (all) quick

After the vnet jail is started I see this on the host
ipfconfig
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> 
  options=82009<RXCSUM,VLAN_MTU,WOL_MAGIC,LINKSTATE>
  ether 00:01:02:2f:c3:00
  inet 10.0.10.6 netmask 0xfffffff0 broadcast 10.0.10.15
  media: Ethernet autoselect (100baseTX <full-duplex>)
  status: active
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33184
  groups: pflog

bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST>
  ether 02:2a:47:08:71:0a
  id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
  maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
  root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
  member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
          ifmaxaddr 0 port 7 priority 128 path cost 2000
  member: xl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
          ifmaxaddr 0 port 2 priority 128 path cost 200000
      groups: bridge
      nd6 options=9<PERFORMNUD,IFDISABLED>

epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> 
  options=8<VLAN_MTU>
  ether 02:a0:73:db:2f:0a
  inet6 fe80::a0:73ff:fedb:2f0a%epair1a prefixlen 64 scopeid 0x7
  groups: epair
  media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
  status: active
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

ps ax
692  -  DL     0:06.87 [pf purge]
1105  -  Is     0:00.00 pflogd: [priv] (pflogd)
1106  -  S      0:00.29 pflogd: [running] -s 116 -i pflog0 
1409  -  IsJ    0:00.01 pflogd: [priv] (pflogd)
1413  -  SJ     0:00.31 pflogd: [running] -s 116 -i pflog0  
1465  -  SsJ    0:00.02 /usr/sbin/syslogd -ss
1521  -  IsJ    0:00.03 /usr/sbin/cron -J 60 -s



After the vnet jail is started I see this on the vnet console
ipfconfig
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33184
  groups: pflog
epair1b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST>
  options=8<VLAN_MTU>
  ether 02:a0:73:db:2f:0b
  inet 10.0.10.31 netmask 0xff000000 broadcast 10.255.255.255
  inet6 fe80::a0:73ff:fedb:2f0b%epair1b prefixlen 64 scopeid 0x3
  groups: epair
  media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
  status: active
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

******************************************************

>From the vnet console I issue this command.
ping -c 2 freebsd.org
PING freebsd.org (96.47.72.84): 56 data bytes
64 bytes from 96.47.72.84: icmp_seq=0 ttl=46 time=39.367 ms
64 bytes from 96.47.72.84: icmp_seq=1 ttl=46 time=39.096 ms

--- freebsd.org ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 39.096/39.231/39.367/0.135 ms

Then I looked at the pflog on the host and in the vnet jail
to see the ping packets and what I see is a flood of other 
ipv4 and ipv6 packets. The ipv6 packet flood was there in 11.x i386 
and now in 12.0 there is a flood of ipv4 packets. There is a bug report
about the ipv6 packet flood in 11.x. A lot of network resources are 
being consumed making this background noise. Looks like originating
from vimage.

The pflog host report is attached as separate file.
   pflog.txt.bug1.host

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list