IPv6 and aliases on loopback interfaces
Qing Li
qingli at freebsd.org
Sat Oct 15 23:09:35 UTC 2011
I uploaded a patch last night for this issue, it's sitting at
http://people.freebsd.org/~qingli/in6.c.diff
--Qing
On Sat, Oct 15, 2011 at 1:49 PM, Matthew Seaman
<m.seaman at infracaninophile.co.uk> wrote:
>
> So, this morning I updated to the latest stable/8 on my desktop box as
> is my habit to do about fortnightly. Lo and behold, the jail I had
> configured hanging off the loopback interface suddenly stopped being
> able to communicate with the rest of the world. For reasons too trivial
> to be worth explaining, this jail only has IPv6 connectivity.
>
> After much bisecting of versions and building of kernels I tracked the
> problem down to r226240.
>
> http://svnweb.freebsd.org/base/stable/8/sys/netinet6/in6.c?r1=226235&r2=226240
>
> After that commit, if I have the following IPv6 config on lo0:
>
> lucid-nonsense:~:% ifconfig lo0 inet6
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=3<RXCSUM,TXCSUM>
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0xc
> inet6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 prefixlen 128
>
> Then the RFC4193 address becomes unpingable[*]:
>
> lucid-nonsense:~:% ping6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1
> PING6(56=40+8+8 bytes) fd87:cd50:2103:1:57f9:9484:e8b0:12d1 -->
> fd87:cd50:2103:1:57f9:9484:e8b0:12d1
> ^C
> --- fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ping6 statistics ---
> 3 packets transmitted, 0 packets received, 100.0% packet loss
>
> I can't tell from the commit if this is an intended consequence or not,
> but it seems a bit draconian if so. Surely this will cause problems for
> such well known techniques as Direct Server Return? Not to mention my
> favourite trick of hanging a jail off an internal interface where I can
> experiment with all sorts of potentially vulnerable network bits without
> exposing them to an external network.
>
> Cheers,
>
> Matthew
>
> [*] Ditto if I clone up a lo1 interface and move
> fd87:cd50:2103:1:57f9:9484:e8b0:12d1 to there. Works fine for 226239 or
> earlier, not for 226240 et seq. What's the point of being able to clone
> lo(4) if you can't usefully configure it with arbitrary addresses?
>
> --
> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
> Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
> JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
>
>
More information about the freebsd-stable
mailing list