IPv6 and aliases on loopback interfaces

Qing Li qingli at freebsd.org
Sat Oct 15 23:09:35 UTC 2011


I uploaded a patch last night for this issue, it's sitting at

   http://people.freebsd.org/~qingli/in6.c.diff

--Qing


On Sat, Oct 15, 2011 at 1:49 PM, Matthew Seaman
<m.seaman at infracaninophile.co.uk> wrote:
>
> So, this morning I updated to the latest stable/8 on my desktop box as
> is my habit to do about fortnightly.  Lo and behold, the jail I had
> configured hanging off the loopback interface suddenly stopped being
> able to communicate with the rest of the world.  For reasons too trivial
> to be worth explaining, this jail only has IPv6 connectivity.
>
> After much bisecting of versions and building of kernels I tracked the
> problem down to r226240.
>
> http://svnweb.freebsd.org/base/stable/8/sys/netinet6/in6.c?r1=226235&r2=226240
>
> After that commit, if I have the following IPv6 config on lo0:
>
> lucid-nonsense:~:% ifconfig lo0 inet6
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>        options=3<RXCSUM,TXCSUM>
>        inet6 ::1 prefixlen 128
>        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xc
>        inet6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 prefixlen 128
>
> Then the RFC4193 address becomes unpingable[*]:
>
> lucid-nonsense:~:% ping6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1
> PING6(56=40+8+8 bytes) fd87:cd50:2103:1:57f9:9484:e8b0:12d1 -->
> fd87:cd50:2103:1:57f9:9484:e8b0:12d1
> ^C
> --- fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ping6 statistics ---
> 3 packets transmitted, 0 packets received, 100.0% packet loss
>
> I can't tell from the commit if this is an intended consequence or not,
> but it seems a bit draconian if so.  Surely this will cause problems for
> such well known techniques as Direct Server Return?  Not to mention my
> favourite trick of hanging a jail off an internal interface where I can
> experiment with all sorts of potentially vulnerable network bits without
> exposing them to an external network.
>
>        Cheers,
>
>        Matthew
>
> [*] Ditto if I clone up a lo1 interface and move
> fd87:cd50:2103:1:57f9:9484:e8b0:12d1 to there.  Works fine for 226239 or
> earlier, not for 226240 et seq.  What's the point of being able to clone
> lo(4) if you can't usefully configure it with arbitrary addresses?
>
> --
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                  Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
> JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW
>
>


More information about the freebsd-stable mailing list