Regression with jails/IPv6/pf
- From: Matthew Seaman <m.seaman@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 26 Jul 2012 19:45:00 +0100
So, I tried to do a routine update to the latest stable/9 yesterday
(r238771), and I found that access to the jail on my server had stopped
working. Everything else seemed to be fine, and reverting to the
previous system (r237456 from 2012-06-22 (Boot Environments FTW)) bought
it all back to life.
After spending most of today bisecting versions and compiling kernels,
I found:
r238177 worked absolutely fine
r238236 accessing the jail worked, but everything was slow, as if
DNS queries were timing out.
r238246 lots of network timeouts everywhere: accessing the jail
failed, but then so did accessing the main host. So much
so that svn couldn't update properly.
r238256 worked fine for accessing the main host, but failed when
trying to access the jail.
Looks like this seems to have been introduced in a batch of commits
MFC'd by bz@ (CC'd) around then.
Now, this jail is set up in an unusual way, which is why I guess I'm the
first person to be affected. For starters, it only has IPv6
connectivity, and secondly, because I'm running some daemons there I
don't want listening on an external network socket, it's bound to the
loopback and I use firewall redirection to send traffic to it.
The jail config in /etc/rc.conf looks like this:
jail_interface="lo1"
jail_devfs_enable="YES"
jail_devfs_ruleset="devfsrules_jail_zfs"
jail_fdescfs_enable="YES"
jail_procfs_enable="YES"
jail_set_hostname_allow="NO"
jail_socket_unixiproute_only="YES"
jail_sysvipc_allow="NO"
jail_parallel_start="NO"
jail_xenophobe_hostname="xenophobe.infracaninophile.co.uk"
jail_xenophobe_rootdir="/jail/xenophobe"
jail_xenophobe_ip="fd87:cd50:2103:1:54f9:9484:e8b0:12d1"
jail_xenophobe_mount_enable="YES"
jail_xenophobe_zfs="zroot/jail/xenophobe zroot/jail/xenophobe/TimeMachine"
jail_xenophobe_params="enforce_statfs=1"
I've cloned a second loopback I/F and given the jail an address from the
IPv6 private address range (RFC4193). Cloning the interface
isn't absolutely necessary -- exactly the same symptoms occur if I use
an alias address on lo0 -- but it makes it easier to see only jail
traffic when using tcpdump.
Then I've enabled access via the network using nat+rdr in PF, like so:
table <localnets> const { 2001:8b0:151:1::/64, \
81.187.76.160/29, \
fd87:cd50:2103:1::/64 }
xenophobe_int="fd87:cd50:2103:1:54f9:9484:e8b0:12d1"
xenophobe_ext="2001:8b0:151:1:54f9:9484:e8b0:12d1"
[...]
nat on $ext_if_plus from $xenophobe_int to any -> $xenophobe_ext
rdr inet6 proto tcp from <localnets> to $xenophobe_ext \
port { 22, 80, 443, 548, 4700 } -> $xenophobe_int
When trying to ssh into the jail with a kernel exhibiting this problem,
tcpdump showed that traffic was reaching the sshd in the jail and
responses were being generated, but they didn't make it out onto the net.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@xxxxxxxxxxxxxxxxxxxxxx Kent, CT11 9PW
Attachment:
signature.asc
Description: OpenPGP digital signature
- Follow-Ups:
- Re: Regression with jails/IPv6/pf
- From: Bjoern A. Zeeb
- Re: Regression with jails/IPv6/pf
- From: Mike Andrews
- Re: Regression with jails/IPv6/pf
- Prev by Date: Re: Keyboard cutting off soon after launching X
- Next by Date: Re: Regression with jails/IPv6/pf
- Previous by thread: Keyboard cutting off soon after launching X
- Next by thread: Re: Regression with jails/IPv6/pf
- Index(es):
Relevant Pages
|
