Re: Simple IPv6 question [Was: Re: IPv6 site local EUI-64 adresses and jails]
On 2005-08-15T20:51:05+0200, Emanuel Strobl wrote: > Dear inet6 guys, > > I don't know the kind of addresses FreeBSD uses for autoconfigured > link-local addresses. > For example: fe80::20e:cff:fe34:2bf8%em0 > > What the hack is %em0 ??? Interestingly I can use this address, but ping6 > fe80::20e:cff:fe34:2bf8 doesn't work > The Handbook doesn't clarify this mysterious address. Is it FreeBSD > specific? Check out http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/ipv6.html ``Some of the userland tools support extended numeric IPv6 syntax, as documented in draft-ietf-ipngwg-scopedaddr-format-00.txt. You can specify outgoing link, by using name of the outgoing interface like "fe80::1%ne0". This way you will be able to specify link-local scoped address without much trouble.'' -- Mike Oliver [see complete headers for contact information] pgp2o1kLD0K0u.pgp Description: PGP signature
Simple IPv6 question [Was: Re: IPv6 site local EUI-64 adresses and jails]
Am Freitag, 12. August 2005 21:24 CEST schrieb Emanuel Strobl: > Am Freitag, 12. August 2005 20:53 CEST schrieb Emanuel Strobl: > > Hi all, > > > > I'm quiet new to IPv6 so I'd like to ask some questions: > > Here are two more: > > How do I use the eui64 option of ifconfig? 'ifconfig fxp0 inet6 > fe80:0:0:0:eui64 ' doesn't work! > > What's the meaning of the "%fxp0" tail of the ifconfig output for the > inet6 address? Dear inet6 guys, I don't know the kind of addresses FreeBSD uses for autoconfigured link-local addresses. For example: fe80::20e:cff:fe34:2bf8%em0 What the hack is %em0 ??? Interestingly I can use this address, but ping6 fe80::20e:cff:fe34:2bf8 doesn't work The Handbook doesn't clarify this mysterious address. Is it FreeBSD specific? Thanks in andvance, I posted this also to current@ since I got no answer from questions@ -Harry > > Thanks, > > -Harry > > > So far I know how to generate s site-local address on basis of the MAC > > address of the interface. That's what FreeBSD does itself for INET6 > > enabled kernels. > > Now in the 24-16-24 scheme of th interface id part of the IPv6 > > address, the 16 bits were inserted with the value FFFE. And bit 57 was > > changed to one! Why What if it is alread one? Or isn't tehre any > > vendor who can have bit 41 of his MAC 1? > > Now I want to use a dedicated interface, which is in a different > > subnet, for 5 jails. How do I do that if I want to keep the MAC > > relation and if I'm not allewd to change the FFFE insert? It isn't > > possible then, is it? What should I do instead? Invent my own 64-bit > > scheme? > > > > I hope you understand my questions, thanks a lot in advance, > > > > -Harr pgptY0pgdPFKS.pgp Description: PGP signature
Re: IPv6 site local EUI-64 adresses and jails
Am Samstag, 13. August 2005 10:53 CEST schrieb David Malone:
> On Fri, Aug 12, 2005 at 08:53:20PM +0200, Emanuel Strobl wrote:
> > Now in the 24-16-24 scheme of th interface id part of the IPv6
> > address, the 16 bits were inserted with the value FFFE. And bit 57 was
> > changed to one! Why What if it is alread one? Or isn't tehre any
> > vendor who can have bit 41 of his MAC 1?
>
> Some of the bits of a MAC address are reserved. There is a bit that
> indicates if the address is the address of a group of machines (for
> multicast) or the address of a single machine. The bit that is
> flipped when generating IPv6 addresses is the "local/global" bit,
> that indicates if the address has been assigned locally or by some
> global authority. For normal ethernet cards, this bit would always
> be 0.
>
> > Now I want to use a dedicated interface, which is in a different
> > subnet, for 5 jails. How do I do that if I want to keep the MAC
> > relation and if I'm not allewd to change the FFFE insert? It isn't
> > possible then, is it? What should I do instead? Invent my own 64-bit
> > scheme?
>
> I'd suggest that you use manually assigned addresses in cases like this.
> You know what sort of addresses will be generated by autoconfiguration,
> so it should be easy for you to choose addresses that won't clash.
>
> Unfortunately jails do not actually support restricting the use of IPv6
> addresses right now.
Thanks a lot for your explanation! I have patches from Olivier Houchard for
testing which extends jails for IPv6 :)
He wrote it some time ago for RELENG_5 but wasn't sure if it is secure
enough to committ it.
I think more teseters are welcome, I have to solve some other IPv6
proplems first (like auto host config and DNS?), so I attach the patches
here, I can't imagine why Olivier wouldn't want that.
Best regards,
-Harry
>
> David.
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
Index: sys/kern/kern_jail.c
===
RCS file: /cognet/ncvs/src/sys/kern/kern_jail.c,v
retrieving revision 1.50
diff -u -p -r1.50 kern_jail.c
--- sys/kern/kern_jail.c 23 Jun 2005 22:13:28 - 1.50
+++ sys/kern/kern_jail.c 12 Aug 2005 22:57:21 -
@@ -12,6 +12,7 @@ __FBSDID("$FreeBSD: src/sys/kern/kern_ja
#include "opt_mac.h"
+#include "opt_inet6.h"
#include
#include
#include
@@ -49,7 +50,7 @@ SYSCTL_INT(_security_jail, OID_AUTO, set
int jail_socket_unixiproute_only = 1;
SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
&jail_socket_unixiproute_only, 0,
-"Processes in jail are limited to creating UNIX/IPv4/route sockets only");
+"Processes in jail are limited to creating UNIX/IP/route sockets only");
int jail_sysvipc_allowed = 0;
SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
@@ -134,6 +135,9 @@ jail(struct thread *td, struct jail_args
error = copyinstr(j.hostname, &pr->pr_host, sizeof(pr->pr_host), 0);
if (error)
goto e_dropvnref;
+#ifdef INET6
+ memcpy(&pr->pr_ip6, &j.ip6_number, sizeof(pr->pr_ip6));
+#endif
pr->pr_ip = j.ip_number;
pr->pr_linux = NULL;
pr->pr_securelevel = securelevel;
@@ -375,18 +379,82 @@ prison_remote_ip(struct ucred *cred, int
return;
}
+#ifdef INET6
+void
+prison_getip6(struct ucred *ucred, u_int8_t **ip6)
+{
+
+ memcpy(ip6, &ucred->cr_prison->pr_ip6,
+ sizeof(ucred->cr_prison->pr_ip6));
+}
+
+int
+prison_ip6(struct ucred *ucred, u_int8_t **ip6)
+{
+ struct in6_addr tmp;
+
+ if (!jailed(ucred))
+ return (0);
+ memcpy(&tmp, ip6, sizeof(tmp));
+ if (IN6_IS_ADDR_LOOPBACK(&tmp) ||
+ IN6_IS_ADDR_UNSPECIFIED(&tmp)) {
+ memcpy(ip6, &ucred->cr_prison->pr_ip6, sizeof(tmp));
+ return (0);
+ }
+ if (IN6_ARE_ADDR_EQUAL((struct in6_addr *)ip6,
+ (struct in6_addr *)&ucred->cr_prison->pr_ip6))
+ return (1);
+ return (0);
+}
+
+void
+prison_remote_ip6(struct ucred *cred, u_int8_t **ip)
+{
+ struct in6_addr tmp;
+
+ if (!jailed(cred))
+ return;
+ memcpy(&tmp, ip, sizeof(tmp));
+ if (IN6_IS_ADDR_LOOPBACK(&tmp)) {
+ memcpy(ip, &cred->cr_prison->pr_ip6, sizeof(tmp));
+ return;
+ }
+ return;
+}
+
+#endif
+
int
prison_if(struct ucred *cred, struct sockaddr *sa)
{
struct sockaddr_in *sai;
+#ifdef INET6
+ struct sockaddr_in6 *sa6;
+#endif
int ok;
sai = (struct sockaddr_in *)sa;
- if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only)
- ok = 1;
- else if (sai->sin_family != AF_INET)
- ok = 0;
- else if (cred->cr_prison->pr_ip != ntohl(sai->sin_addr.s_addr))
+#ifdef INET6
+ sa6 = (struct sockaddr_in6 *)sa;
+#endif
+ if (sai->sin_family == AF_INET) {
+ if (cred->cr_prison->pr_ip != ntohl(sai->sin_addr.s_addr))
+ ok = 1;
+ else
+ ok = 0;
+ } else
+#ifdef INET6
+ if (sai->sin_family == AF_INET6) {
+ if (!IN6_ARE_ADDR_EQUAL((struct in6_addr *)
+ &cred->cr_pri
Re: IPv6 site local EUI-64 adresses and jails
On Fri, Aug 12, 2005 at 08:53:20PM +0200, Emanuel Strobl wrote: > Now in the 24-16-24 scheme of th interface id part of the IPv6 address, the > 16 bits were inserted with the value FFFE. And bit 57 was changed to one! > Why What if it is alread one? Or isn't tehre any vendor who can have > bit 41 of his MAC 1? Some of the bits of a MAC address are reserved. There is a bit that indicates if the address is the address of a group of machines (for multicast) or the address of a single machine. The bit that is flipped when generating IPv6 addresses is the "local/global" bit, that indicates if the address has been assigned locally or by some global authority. For normal ethernet cards, this bit would always be 0. > Now I want to use a dedicated interface, which is in a different subnet, > for 5 jails. How do I do that if I want to keep the MAC relation and if > I'm not allewd to change the FFFE insert? It isn't possible then, is it? > What should I do instead? Invent my own 64-bit scheme? I'd suggest that you use manually assigned addresses in cases like this. You know what sort of addresses will be generated by autoconfiguration, so it should be easy for you to choose addresses that won't clash. Unfortunately jails do not actually support restricting the use of IPv6 addresses right now. David. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPv6 site local EUI-64 adresses and jails
Am Samstag, 13. August 2005 00:03 CEST schrieb Michael W. Oliver: > On 2005-08-12T22:56:19+0200, Emanuel Strobl wrote: > > Am Freitag, 12. August 2005 22:48 CEST schrieb Michael W. Oliver: > >> ifconfig fxp0 inet6 3ffe:dead:beef:cafe::/64 eui64 alias > > > > Hmmm, that doesn't work here (6.0-beta2): > > > > ifconfig fxp0 inet6 fec0::/64 eui64 alias > > ifconfig: could not determine link local address > > The link-local address is automatically configured, based on the mac > address of the interface, so you can't (and wouldn't want to) configure > it manually. If you want to configure unicast addresses manually, use > the /48 from your provider/broker, broken down into whatever prefixlen > you want. Just for playing I disabled auto link-local address generation, then I found that "ifconfig fxp0 inet6 fec0::1 delete" worked after I added that one (without alias, which was my testing reason). Then I also deleted the eui64 address and wanted to reassign it. Another reason I tried to use the -eui64 option with ifconfig was because my fwe0 got no inet6 address! Either the man page of ifconfig is wrong or something else, I couldn't get a working syntax with option eui64. Thanks, -Harry > > What is your current fxp0 configuration? pgpsyRqn6jeef.pgp Description: PGP signature
Re: IPv6 site local EUI-64 adresses and jails
On 2005-08-12T22:56:19+0200, Emanuel Strobl wrote: > Am Freitag, 12. August 2005 22:48 CEST schrieb Michael W. Oliver: >> ifconfig fxp0 inet6 3ffe:dead:beef:cafe::/64 eui64 alias > > Hmmm, that doesn't work here (6.0-beta2): > > ifconfig fxp0 inet6 fec0::/64 eui64 alias > ifconfig: could not determine link local address The link-local address is automatically configured, based on the mac address of the interface, so you can't (and wouldn't want to) configure it manually. If you want to configure unicast addresses manually, use the /48 from your provider/broker, broken down into whatever prefixlen you want. What is your current fxp0 configuration? -- Mike Oliver [see complete headers for contact information] pgpRY5lFVSdP6.pgp Description: PGP signature
Re: IPv6 site local EUI-64 adresses and jails
Am Freitag, 12. August 2005 22:48 CEST schrieb Michael W. Oliver: > On 2005-08-12T21:03:35+0200, Emanuel Strobl wrote: > > Am Freitag, 12. August 2005 20:53 CEST schrieb Emanuel Strobl: > >> Hi all, > >> > >> I'm quiet new to IPv6 so I'd like to ask some questions: > >> > >> So far I know how to generate s site-local address on basis of the > >> MAC address of the interface. That's what FreeBSD does itself for > >> INET6 enabled kernels. > > > > Ok, here I found my first error, it's in fact a link-local addres, no > > site-local. If I need a site-local, is it correct to just assign it > > another (almost similar) address, or should I disable link-local > > autogeneration? > > Don't disable link-local address auto-generation. You can assign your > own addresses, based on the /48 you have been given by your provider or > tunnel broker. Something like this > > ifconfig fxp0 inet6 3ffe:dead:beef:cafe::/64 eui64 alias Hmmm, that doesn't work here (6.0-beta2): ifconfig fxp0 inet6 fec0::/64 eui64 alias ifconfig: could not determine link local address -Harry > That is only if you want to use auto-configured host addresses based on > the (IHMO) wasteful EUI64 junk... topic for another thread (and list, > probably!). There are lots of differing opinions about the usefulness > of EUI64-based auto-config. pgpK93ppA6fUk.pgp Description: PGP signature
Re: IPv6 site local EUI-64 adresses and jails
Am Freitag, 12. August 2005 22:48 CEST schrieb Michael W. Oliver: > On 2005-08-12T21:03:35+0200, Emanuel Strobl wrote: > > Am Freitag, 12. August 2005 20:53 CEST schrieb Emanuel Strobl: > >> Hi all, > >> > >> I'm quiet new to IPv6 so I'd like to ask some questions: > >> > >> So far I know how to generate s site-local address on basis of the > >> MAC address of the interface. That's what FreeBSD does itself for > >> INET6 enabled kernels. > > > > Ok, here I found my first error, it's in fact a link-local addres, no > > site-local. If I need a site-local, is it correct to just assign it > > another (almost similar) address, or should I disable link-local > > autogeneration? > > Don't disable link-local address auto-generation. You can assign your > own addresses, based on the /48 you have been given by your provider or > tunnel broker. Something like this > > ifconfig fxp0 inet6 3ffe:dead:beef:cafe::/64 eui64 alias Ahh, ok, this answers the question how to use eui64 with ifconfig :) And dead beef cafe is kewl ;) (first I'll use FEC0::eui64) Thanks, -Harry P.S.: Do you know what's the clue with the (mac)bit 41 change for eui64? > > That is only if you want to use auto-configured host addresses based on > the (IHMO) wasteful EUI64 junk... topic for another thread (and list, > probably!). There are lots of differing opinions about the usefulness > of EUI64-based auto-config. pgpceNS99BKvU.pgp Description: PGP signature
Re: IPv6 site local EUI-64 adresses and jails
On 2005-08-12T21:03:35+0200, Emanuel Strobl wrote: > Am Freitag, 12. August 2005 20:53 CEST schrieb Emanuel Strobl: >> Hi all, >> I'm quiet new to IPv6 so I'd like to ask some questions: >> So far I know how to generate s site-local address on basis of the MAC >> address of the interface. That's what FreeBSD does itself for INET6 >> enabled kernels. > > Ok, here I found my first error, it's in fact a link-local addres, no > site-local. If I need a site-local, is it correct to just assign it > another (almost similar) address, or should I disable link-local > autogeneration? Don't disable link-local address auto-generation. You can assign your own addresses, based on the /48 you have been given by your provider or tunnel broker. Something like this ifconfig fxp0 inet6 3ffe:dead:beef:cafe::/64 eui64 alias That is only if you want to use auto-configured host addresses based on the (IHMO) wasteful EUI64 junk... topic for another thread (and list, probably!). There are lots of differing opinions about the usefulness of EUI64-based auto-config. -- Mike Oliver [see complete headers for contact information] pgpGVDfizZsiv.pgp Description: PGP signature
Re: IPv6 site local EUI-64 adresses and jails
Am Freitag, 12. August 2005 20:53 CEST schrieb Emanuel Strobl: > Hi all, > > I'm quiet new to IPv6 so I'd like to ask some questions: Here are two more: How do I use the eui64 option of ifconfig? 'ifconfig fxp0 inet6 fe80:0:0:0:eui64 ' doesn't work! What's the meaning of the "%fxp0" tail of the ifconfig output for the inet6 address? Thanks, -Harry > So far I know how to generate s site-local address on basis of the MAC > address of the interface. That's what FreeBSD does itself for INET6 > enabled kernels. > Now in the 24-16-24 scheme of th interface id part of the IPv6 address, > the 16 bits were inserted with the value FFFE. And bit 57 was changed to > one! Why What if it is alread one? Or isn't tehre any vendor who can > have bit 41 of his MAC 1? > Now I want to use a dedicated interface, which is in a different subnet, > for 5 jails. How do I do that if I want to keep the MAC relation and if > I'm not allewd to change the FFFE insert? It isn't possible then, is it? > What should I do instead? Invent my own 64-bit scheme? > > I hope you understand my questions, thanks a lot in advance, > > -Harr pgpXYJzFJPq2f.pgp Description: PGP signature
Re: IPv6 site local EUI-64 adresses and jails
Am Freitag, 12. August 2005 20:53 CEST schrieb Emanuel Strobl: > Hi all, > > I'm quiet new to IPv6 so I'd like to ask some questions: > > So far I know how to generate s site-local address on basis of the MAC > address of the interface. That's what FreeBSD does itself for INET6 > enabled kernels. Ok, here I found my first error, it's in fact a link-local addres, no site-local. If I need a site-local, is it correct to just assign it another (almost similar) address, or should I disable link-local autogeneration? Thanks, -Harry > Now in the 24-16-24 scheme of th interface id part of the IPv6 address, > the 16 bits were inserted with the value FFFE. And bit 57 was changed to > one! Why What if it is alread one? Or isn't tehre any vendor who can > have bit 41 of his MAC 1? > Now I want to use a dedicated interface, which is in a different subnet, > for 5 jails. How do I do that if I want to keep the MAC relation and if > I'm not allewd to change the FFFE insert? It isn't possible then, is it? > What should I do instead? Invent my own 64-bit scheme? > > I hope you understand my questions, thanks a lot in advance, > > -Harr pgpirO64RezBs.pgp Description: PGP signature
IPv6 site local EUI-64 adresses and jails
Hi all, I'm quiet new to IPv6 so I'd like to ask some questions: So far I know how to generate s site-local address on basis of the MAC address of the interface. That's what FreeBSD does itself for INET6 enabled kernels. Now in the 24-16-24 scheme of th interface id part of the IPv6 address, the 16 bits were inserted with the value FFFE. And bit 57 was changed to one! Why What if it is alread one? Or isn't tehre any vendor who can have bit 41 of his MAC 1? Now I want to use a dedicated interface, which is in a different subnet, for 5 jails. How do I do that if I want to keep the MAC relation and if I'm not allewd to change the FFFE insert? It isn't possible then, is it? What should I do instead? Invent my own 64-bit scheme? I hope you understand my questions, thanks a lot in advance, -Harr pgpk2do0FKcxZ.pgp Description: PGP signature
