Re: DHCPDv6 in non-vnet jail
On Tue, Mar 29, 2022 at 05:21:13PM +0200, Marek Zarychta wrote: > Running DHCPv6 in a jail is possible and pretty straigtforward if > /dev/bpf is exposed, but I have never tried to run rtadvd(8) in the > jail. The net/isc-dhcp44-server works flawlessy in dedicated DHCPv6 > reduntant jails without VNET, but the RA is always done on the core > switches for all suppoted subnets in my case. Please consider that > DHCPv6 is never replacement, but addition to properly confiugred RA. I ran rtadvd inside jail just to see if RA messages are going back and forth as I suspected I'm blocking something. Otherwise, I'm running rtadvd on the host. If I understand it right, rtadvd's raflags="m" should tell rtsold to run external script. I'm just running it by hand so I use the least amount of software possible. Is that wrong? Should dhcp6c be run with rtsold -M? I tried with rtsold_flags="-a -M /usr/local/bin/dhcp6c" without luck. Regards, meka signature.asc Description: PGP signature
Re: DHCPDv6 in non-vnet jail
On Tue, Mar 29, 2022 at 12:14:20PM +0200, Ronald Klop wrote:
> I think it will help if you share more of your configuration/logs.
Inside non-vnet jail, this is ifconfig output
cbsd0: flags=8843 metric 0 mtu 1500
description: lagg0
ether 58:9c:fc:10:9b:75
inet 172.16.0.253 netmask 0x broadcast 172.16.0.253
inet6 fd10:6c79:8ae5:8b91::2 prefixlen 128
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair1a flags=143
ifmaxaddr 0 port 7 priority 128 path cost 2000
member: epair5a flags=143
ifmaxaddr 0 port 11 priority 128 path cost 2000
member: epair4a flags=143
ifmaxaddr 0 port 10 priority 128 path cost 2000
member: epair3a flags=143
ifmaxaddr 0 port 9 priority 128 path cost 2000
member: epair2a flags=143
ifmaxaddr 0 port 8 priority 128 path cost 2000
groups: bridge
nd6 options=21
There are bunch of other interfaces, but only cbsd0 (bridge interface)
is set up with ip address.
netstat -rn
Routing tables
Internet:
DestinationGatewayFlags Netif Expire
172.16.0.253 link#4 UHcbsd0
Internet6:
Destination Gateway Flags Netif
Expire
fd10:6c79:8ae5:8b91::2link#4UHS lo0
grep -v '^#' /usr/local/etc/dhcpd6.conf
default-lease-time 2592000;
preferred-lifetime 604800;
option dhcp-renewal-time 3600;
option dhcp-rebinding-time 7200;
allow leasequery;
option dhcp6.name-servers 3ffe:501::100:200:ff:fe00:3f3e;
option dhcp6.domain-search "test.example.com","example.com";
option dhcp6.info-refresh-time 21600;
dhcpv6-lease-file-name "/var/db/dhcpd6/dhcpd6.leases";
subnet6 fd10:6c79:8ae5:8b91::/64 {
range6 fd10:6c79:8ae5:8b91::/64;
}
ls -l /dev
total 1
crw--- 1 root wheel 0x26 Mar 29 17:35 bpf
lrwxr-xr-x 1 root wheel 3 Mar 28 09:31 bpf0 -> bpf
crw-rw-rw- 1 root wheel 0x4a Mar 26 15:54 crypto
dr-xr-xr-x 2 root wheel512 Mar 29 03:38 fd
crw-rw-rw- 1 root wheel 0x2a Mar 29 18:00 null
crw-rw 1 root nsd0x1a5 Mar 24 23:45 pf
crw-rw 1 root nsd 0x4b Mar 26 15:54 pfil
dr-xr-xr-x 2 root wheel512 Mar 28 09:31 pts
crw-r--r-- 1 root wheel0x8 Mar 24 23:45 random
lrwxr-xr-x 1 root wheel 4 Mar 28 09:31 stderr -> fd/2
lrwxr-xr-x 1 root wheel 4 Mar 28 09:31 stdin -> fd/0
lrwxr-xr-x 1 root wheel 4 Mar 28 09:31 stdout -> fd/1
lrwxr-xr-x 1 root wheel 6 Mar 28 09:31 urandom -> random
crw-rw-rw- 1 root wheel 0x2b Mar 26 15:54 zero
On the host I have /etc/rtadvd.conf:
cbsd0:addr="fd10:6c79:8ae5:8b91::":raflags="m"
On the host ifconfig cbsd0
cbsd0: flags=8843 metric 0 mtu 1500
description: lagg0
ether 58:9c:fc:10:9b:75
inet 172.16.0.254 netmask 0xff00 broadcast 172.16.0.255
inet 172.16.1.254 netmask 0xff00 broadcast 172.16.1.255
inet 172.16.0.253 netmask 0x broadcast 172.16.0.253
inet6 fe80::5a9c:fcff:fe10:9b75%cbsd0 prefixlen 64 scopeid 0x4
inet6 fd10:6c79:8ae5:8b91::1 prefixlen 64
inet6 fd10:6c79:8ae5:8b91::2 prefixlen 128
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair1a flags=143
ifmaxaddr 0 port 7 priority 128 path cost 2000
member: epair5a flags=143
ifmaxaddr 0 port 11 priority 128 path cost 2000
member: epair4a flags=143
ifmaxaddr 0 port 10 priority 128 path cost 2000
member: epair3a flags=143
ifmaxaddr 0 port 9 priority 128 path cost 2000
member: epair2a flags=143
ifmaxaddr 0 port 8 priority 128 path cost 2000
groups: bridge
nd6 options=21
> Besides you can take a look with tcpdump/wireshark on what happens on
> different interfaces of your machines to see the traffic flow between client
> and server.
Running tcpdump -i cbsd0 ip6 inside the non-vnet:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on cbsd0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:02:29.081325 IP6 fe80::5a9c:fcff:fe10:9b75.10482 > ff12::8384.21027: UDP,
length 322
18:02:51.229813 IP6 fe80::2a0:98ff:fe7d:cad.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
18:02:52.338420 IP6 fe80::2a0:98ff:fe7d:cad.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
18:02:54.444709 IP6 fe80::2a0:98ff:fe7d:cad.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
18:02:58.449268 IP6 fe80::2a0:98ff:fe7d:cad.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
18:02:59.083071
Re: DHCPDv6 in non-vnet jail
Dnia Tue, Mar 29, 2022 at 10:11:29AM +0200, Goran Mekić napisał(a): > On Sun, Mar 27, 2022 at 02:34:11PM +, Bjoern A. Zeeb wrote: > > I assume you have /dev/bpf available inside that jail by a devfs rule so > > effectively you have all network interfaces and traffic available? > As a form of test I've put rtadvd inside the same non-vnet jail and I > can see RA message arrive to the vnet jail. I though I "disconnected" > something concerning IPv6, but that's obviously not the case. > > Let's take a step back. Is there any howto/tutorial on how to put > isc-dhcpd6 in a non-vnet jail? I don't care if it's jail.conf or some > jail manager. Can I somehow see where packets end up, like dtrace? > Should I try some other server/client for DHCPv6? If I can make it work > in any scenario, that would be good starting point for me to figure out > what's wrong with my current setup. > > Regards, > meka Running DHCPv6 in a jail is possible and pretty straigtforward if /dev/bpf is exposed, but I have never tried to run rtadvd(8) in the jail. The net/isc-dhcp44-server works flawlessy in dedicated DHCPv6 reduntant jails without VNET, but the RA is always done on the core switches for all suppoted subnets in my case. Please consider that DHCPv6 is never replacement, but addition to properly confiugred RA. Best regards, -- Marek Zarychta
Re: "set but not used" warnings in the kernel
Is it time for WARNS=7 in the Makefiles? Regards, Ronald. Van: Mateusz Guzik Datum: dinsdag, 29 maart 2022 13:15 Aan: freebsd-current@freebsd.org Onderwerp: "set but not used" warnings in the kernel This is way too spammy and there is no consistent effort to clean them up, that I can see anyway. As such, I think these warns are doing more damage than help and should be disabled by default. Alternatively, perhaps people can step up. I'm pretty sure to date I got rid of more of these than anyone else. Comments? -- Mateusz Guzik
"set but not used" warnings in the kernel
This is way too spammy and there is no consistent effort to clean them up, that I can see anyway. As such, I think these warns are doing more damage than help and should be disabled by default. Alternatively, perhaps people can step up. I'm pretty sure to date I got rid of more of these than anyone else. Comments? -- Mateusz Guzik
Re: DHCPDv6 in non-vnet jail
Van: "Goran Mekic" Datum: dinsdag, 29 maart 2022 10:11 Aan: "Bjoern A. Zeeb" CC: freebsd-current@freebsd.org Onderwerp: Re: DHCPDv6 in non-vnet jail On Sun, Mar 27, 2022 at 02:34:11PM +, Bjoern A. Zeeb wrote: > I assume you have /dev/bpf available inside that jail by a devfs rule so > effectively you have all network interfaces and traffic available? As a form of test I've put rtadvd inside the same non-vnet jail and I can see RA message arrive to the vnet jail. I though I "disconnected" something concerning IPv6, but that's obviously not the case. Let's take a step back. Is there any howto/tutorial on how to put isc-dhcpd6 in a non-vnet jail? I don't care if it's jail.conf or some jail manager. Can I somehow see where packets end up, like dtrace? Should I try some other server/client for DHCPv6? If I can make it work in any scenario, that would be good starting point for me to figure out what's wrong with my current setup. Regards, meka Hi, I think it will help if you share more of your configuration/logs. Besides you can take a look with tcpdump/wireshark on what happens on different interfaces of your machines to see the traffic flow between client and server. Regards, Ronald.
Re: DHCPDv6 in non-vnet jail
On Sun, Mar 27, 2022 at 02:34:11PM +, Bjoern A. Zeeb wrote: > I assume you have /dev/bpf available inside that jail by a devfs rule so > effectively you have all network interfaces and traffic available? As a form of test I've put rtadvd inside the same non-vnet jail and I can see RA message arrive to the vnet jail. I though I "disconnected" something concerning IPv6, but that's obviously not the case. Let's take a step back. Is there any howto/tutorial on how to put isc-dhcpd6 in a non-vnet jail? I don't care if it's jail.conf or some jail manager. Can I somehow see where packets end up, like dtrace? Should I try some other server/client for DHCPv6? If I can make it work in any scenario, that would be good starting point for me to figure out what's wrong with my current setup. Regards, meka signature.asc Description: PGP signature
