IPv6 and aliases on loopback interfaces
m.seaman at infracaninophile.co.uk
Sat Oct 15 20:49:39 UTC 2011
So, this morning I updated to the latest stable/8 on my desktop box as
is my habit to do about fortnightly. Lo and behold, the jail I had
configured hanging off the loopback interface suddenly stopped being
able to communicate with the rest of the world. For reasons too trivial
to be worth explaining, this jail only has IPv6 connectivity.
After much bisecting of versions and building of kernels I tracked the
problem down to r226240.
After that commit, if I have the following IPv6 config on lo0:
lucid-nonsense:~:% ifconfig lo0 inet6
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0xc
inet6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 prefixlen 128
Then the RFC4193 address becomes unpingable[*]:
lucid-nonsense:~:% ping6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1
PING6(56=40+8+8 bytes) fd87:cd50:2103:1:57f9:9484:e8b0:12d1 -->
--- fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
I can't tell from the commit if this is an intended consequence or not,
but it seems a bit draconian if so. Surely this will cause problems for
such well known techniques as Direct Server Return? Not to mention my
favourite trick of hanging a jail off an internal interface where I can
experiment with all sorts of potentially vulnerable network bits without
exposing them to an external network.
[*] Ditto if I clone up a lo1 interface and move
fd87:cd50:2103:1:57f9:9484:e8b0:12d1 to there. Works fine for 226239 or
earlier, not for 226240 et seq. What's the point of being able to clone
lo(4) if you can't usefully configure it with arbitrary addresses?
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20111015/f062e84e/signature.pgp
More information about the freebsd-stable