So, this morning I updated to the latest stable/8 on my desktop box as is my habit to do about fortnightly. Lo and behold, the jail I had configured hanging off the loopback interface suddenly stopped being able to communicate with the rest of the world. For reasons too trivial to be worth explaining, this jail only has IPv6 connectivity.
After much bisecting of versions and building of kernels I tracked the problem down to r226240. http://svnweb.freebsd.org/base/stable/8/sys/netinet6/in6.c?r1=226235&r2=226240 After that commit, if I have the following IPv6 config on lo0: lucid-nonsense:~:% ifconfig lo0 inet6 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3<RXCSUM,TXCSUM> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0xc inet6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 prefixlen 128 Then the RFC4193 address becomes unpingable[*]: lucid-nonsense:~:% ping6 fd87:cd50:2103:1:57f9:9484:e8b0:12d1 PING6(56=40+8+8 bytes) fd87:cd50:2103:1:57f9:9484:e8b0:12d1 --> fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ^C --- fd87:cd50:2103:1:57f9:9484:e8b0:12d1 ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss I can't tell from the commit if this is an intended consequence or not, but it seems a bit draconian if so. Surely this will cause problems for such well known techniques as Direct Server Return? Not to mention my favourite trick of hanging a jail off an internal interface where I can experiment with all sorts of potentially vulnerable network bits without exposing them to an external network. Cheers, Matthew [*] Ditto if I clone up a lo1 interface and move fd87:cd50:2103:1:57f9:9484:e8b0:12d1 to there. Works fine for 226239 or earlier, not for 226240 et seq. What's the point of being able to clone lo(4) if you can't usefully configure it with arbitrary addresses? -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature