Re: IPv6 routes leaking between FIBs?
On Sun, Dec 28, 2014 at 3:16 AM, Bjoern A. Zeeb b...@freebsd.org wrote: On 28 Dec 2014, at 03:19 , Jason Healy jhe...@logn.net wrote: Hello, Trying out FreeBSD for the first time to build a firewall box that’s multi-core and runs PF. I’m very interested in the FIB code, as it lines up well with the way my core networking equipment works and should allow me to route traffic on an interface that’s logically separate from the management interfaces. I’ve been playing for a bit with the FIB features, but I’m getting hung up on IPv6. I’m trying to set up two interfaces on my box to each have a different FIB, and to not leak routes between the interfaces: # sysctl net.add_addr_allfibs=0 # ifconfig em1 inet 192.0.2.1/24 fib 1 # ifconfig em1 inet6 2001:db8:dead:beef::1/64 fib 1 # ifconfig em2 inet 203.0.113.1/24 fib 2 # ifconfig em2 inet6 2001:db8:cafe:babe::1/64 fib 2 If I then check the routing tables for each FIB, here’s what I get: # setfib -F 1 netstat -rn Routing tables (fib: 1) Internet: DestinationGatewayFlags Netif Expire 192.0.2.0/24 link#2 U em1 192.0.2.1 link#2 UHS lo0 Internet6: Destination Gateway Flags Netif Expire 2001:db8:cafe:babe::/64 link#3U em2 2001:db8:dead:beef::/64 link#2U em1 2001:db8:dead:beef::1 link#2UHS lo0 fe80::%em1/64 link#2U em1 fe80::a00:27ff:fef6:162a%em1 link#2UHS lo0 fe80::%em2/64 link#3U em2 fe80::%lo0/64 link#5U lo0 # setfib -F 2 netstat -rn Routing tables (fib: 2) Internet: DestinationGatewayFlags Netif Expire 203.0.113.0/24 link#3 U em2 203.0.113.1link#3 UHS lo0 Internet6: Destination Gateway Flags Netif Expire 2001:db8:cafe:babe::/64 link#3U em2 2001:db8:cafe:babe::1 link#3UHS lo0 2001:db8:dead:beef::/64 link#2U em1 fe80::%em1/64 link#2U em1 fe80::%em2/64 link#3U em2 fe80::a00:27ff:fe62:d267%em2 link#3UHS lo0 fe80::%lo0/64 link#5U lo0 Note that as expected, the IPv4 routes are constrained to their FIB (192.0.2.0 to FIB 1 and 203.0.113.0 to FIB 2). However, the IPv6 routes (deadbeef and cafebabe) leak between the FIBs; both prefixes that I add are listed in both FIBs (as well as the link-local stuff). According to: https://www.freebsd.org/news/status/report-2012-01-2012-03.html#Multi-FIB:-IPv6-Support-and-Other-Enhancements IPv6 parity is claimed for the FIB code, so I’m not sure if I’m doing it wrong, or if there’s a problem with the FIB code and IPv6 routes. Thanks in advance for any help or clarification! People simply broke it (again). Please file a bug report. You may mention that there are regression test scripts in src/tools/ somewhere to test all the cases for IPv6. Sounds like those tests need to be merged into the ATF tests at tests/sys/netinet/fibs_test.sh so they'll run continuously. -Alan ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPv6 routes leaking between FIBs?
On 29 Dec 2014, at 16:03 , Alan Somers asom...@freebsd.org wrote: On Sun, Dec 28, 2014 at 3:16 AM, Bjoern A. Zeeb b...@freebsd.org wrote: People simply broke it (again). Please file a bug report. You may mention that there are regression test scripts in src/tools/ somewhere to test all the cases for IPv6. Sounds like those tests need to be merged into the ATF tests at tests/sys/netinet/fibs_test.sh so they'll run continuously. Probably but they also need multiple machines (or network stacks), access to privileged services (ifconfig, ipfw, …), and I have no clue how to do all this with ATF. Be my guest :-) — Bjoern A. Zeeb Charles Haddon Spurgeon: Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPv6 routes leaking between FIBs?
On Mon, Dec 29, 2014 at 10:19 AM, Bjoern A. Zeeb b...@freebsd.org wrote: On 29 Dec 2014, at 16:03 , Alan Somers asom...@freebsd.org wrote: On Sun, Dec 28, 2014 at 3:16 AM, Bjoern A. Zeeb b...@freebsd.org wrote: People simply broke it (again). Please file a bug report. You may mention that there are regression test scripts in src/tools/ somewhere to test all the cases for IPv6. Sounds like those tests need to be merged into the ATF tests at tests/sys/netinet/fibs_test.sh so they'll run continuously. Probably but they also need multiple machines (or network stacks), access to privileged services (ifconfig, ipfw, …), and I have no clue how to do all this with ATF. Be my guest :-) I will -- the day that my boss tells me that we need to ship IPv6. Until then I can't justify the time required. It looks like the local tests in tools/test/netfibs/initiator.sh should be easy to convert. Could the others be done with two tap(4) interfaces on the same host? -Alan ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPv6 routes leaking between FIBs?
On Dec 29, 2014, at 1:28 AM, Julian Elischer jul...@freebsd.org wrote: to some extent this is what it was written for.. teh fib code was written for Ironport/Cisco for separating the management port from the data ports onn their appliances, however the VNET code that came later is an even cleaner way of doing it and FIBs were only used by Ironport because VNET was not yet available.Have you tried vnet jails for interface isolation? I freely admit that I haven’t. I’m just coming over to FreeBSD and while I’m aware of jails, I thought of them more as service isolation than for routing. I’m searching around for a moment, and I’m not 100% sure this is going to work for my use case. Can you confirm that jails would be the most appropriate way to solve my problem? These are the major requirements: - A router/firewall that will perform NAT from an internal RFC1918 space to public IPv4, as well as stateful firewalling of IPv6 packets passed to it. - 3 interfaces: 1) Transit interface (10g, packets to/from PF are received/sent on this interface) 2) PFsync (to connect to a second box for active-active PF) 3) Management (LAN side only) - Separate routing tables for the transit and management interfaces, so that the transit interface can have a default route that is distinct from that of the management network. It sounds to me that if I ran this as a jail, I’d need to throw the 10g transit interface and the pfsync interface into the jail, and leave the management interface on the host. I’d probably need to run PF in the jail as well? Or are we just using the jail to isolate the routing tables, and I’d still run PF on the host? I’m happy to provide more details on the setup in case there’s a better way to architect this. I’m a Debian/OpenBSD guy, so I’m sorry if I don’t have all the terminology sorted out yet... I will still file a bug against the FIB code, as it sounds like that’s not working as intended/designed. Thanks, Jason ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPv6 routes leaking between FIBs?
On 12/30/14 1:59 AM, Jason Healy wrote: On Dec 29, 2014, at 1:28 AM, Julian Elischer jul...@freebsd.org wrote: to some extent this is what it was written for.. teh fib code was written for Ironport/Cisco for separating the management port from the data ports onn their appliances, however the VNET code that came later is an even cleaner way of doing it and FIBs were only used by Ironport because VNET was not yet available.Have you tried vnet jails for interface isolation? I freely admit that I haven’t. I’m just coming over to FreeBSD and while I’m aware of jails, I thought of them more as service isolation than for routing. I’m searching around for a moment, and I’m not 100% sure this is going to work for my use case. Can you confirm that jails would be the most appropriate way to solve my problem? These are the major requirements: - A router/firewall that will perform NAT from an internal RFC1918 space to public IPv4, as well as stateful firewalling of IPv6 packets passed to it. - 3 interfaces: 1) Transit interface (10g, packets to/from PF are received/sent on this interface) 2) PFsync (to connect to a second box for active-active PF) 3) Management (LAN side only) the only hitch may be the pfsync stuff.. I have no idea about how virtualised that is and I never use pf..or pfsync. Basically you can assign a complatly separate network stack to teh management interface, (or the other ones) and run whatever the appliation is in the jail.. it's still possible to communicate with the jailed processes using shared files or fifos, but they have a completely separate network stack and are therefore completely unaware of the management interface. Each jail (if enabled with vnet option) has itsl own interfaces, routing tables, firewall(s) etc. - Separate routing tables for the transit and management interfaces, so that the transit interface can have a default route that is distinct from that of the management network. It sounds to me that if I ran this as a jail, I’d need to throw the 10g transit interface and the pfsync interface into the jail, and leave the management interface on the host. I’d probably need to run PF in the jail as well? Or are we just using the jail to isolate the routing tables, and I’d still run PF on the host? I’m happy to provide more details on the setup in case there’s a better way to architect this. I’m a Debian/OpenBSD guy, so I’m sorry if I don’t have all the terminology sorted out yet... I will still file a bug against the FIB code, as it sounds like that’s not working as intended/designed. Thanks, Jason ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPv6 routes leaking between FIBs?
On 29 Dec 2014, at 19:17 , Julian Elischer jul...@freebsd.org wrote: On 12/30/14 1:59 AM, Jason Healy wrote: On Dec 29, 2014, at 1:28 AM, Julian Elischer jul...@freebsd.org wrote: to some extent this is what it was written for.. teh fib code was written for Ironport/Cisco for separating the management port from the data ports onn their appliances, however the VNET code that came later is an even cleaner way of doing it and FIBs were only used by Ironport because VNET was not yet available.Have you tried vnet jails for interface isolation? I freely admit that I haven’t. I’m just coming over to FreeBSD and while I’m aware of jails, I thought of them more as service isolation than for routing. I’m searching around for a moment, and I’m not 100% sure this is going to work for my use case. Can you confirm that jails would be the most appropriate way to solve my problem? These are the major requirements: - A router/firewall that will perform NAT from an internal RFC1918 space to public IPv4, as well as stateful firewalling of IPv6 packets passed to it. - 3 interfaces: 1) Transit interface (10g, packets to/from PF are received/sent on this interface) 2) PFsync (to connect to a second box for active-active PF) 3) Management (LAN side only) the only hitch may be the pfsync stuff.. I have no idea about how virtualised that is and I never use pf..or pfsync. pf and VNETs are a cause for panic at the moment; don’t go that route (yet). Basically you can assign a complatly separate network stack to teh management interface, (or the other ones) and run whatever the appliation is in the jail.. it's still possible to communicate with the jailed processes using shared files or fifos, but they have a completely separate network stack and are therefore completely unaware of the management interface. Each jail (if enabled with vnet option) has itsl own interfaces, routing tables, firewall(s) etc. - Separate routing tables for the transit and management interfaces, so that the transit interface can have a default route that is distinct from that of the management network. It sounds to me that if I ran this as a jail, I’d need to throw the 10g transit interface and the pfsync interface into the jail, and leave the management interface on the host. I’d probably need to run PF in the jail as well? Or are we just using the jail to isolate the routing tables, and I’d still run PF on the host? I’m happy to provide more details on the setup in case there’s a better way to architect this. I’m a Debian/OpenBSD guy, so I’m sorry if I don’t have all the terminology sorted out yet... I will still file a bug against the FIB code, as it sounds like that’s not working as intended/designed. Thanks, Jason ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org — Bjoern A. Zeeb Charles Haddon Spurgeon: Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPv6 routes leaking between FIBs?
On Dec 29, 2014, at 2:34 PM, Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net wrote: pf and VNETs are a cause for panic at the moment; don’t go that route (yet). Good to know. With that in mind, I think my best workaround for now is to disable IPv6 on the management interface, leaving the transit interface as the only one with a v6 address assigned. This effectively isolates it from the rest of the box, and I’ll just have to manage the box itself via v4 for the time being until the v6 fibs get fixed. Meanwhile, I’ve created PR 196361 to track the underlying issue: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196361 I’ll keep working to spin up PF on the box and I’ll let you know if I bump into any other issues. Thanks for the guidance, Jason ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPv6 routes leaking between FIBs?
On 28 Dec 2014, at 03:19 , Jason Healy jhe...@logn.net wrote: Hello, Trying out FreeBSD for the first time to build a firewall box that’s multi-core and runs PF. I’m very interested in the FIB code, as it lines up well with the way my core networking equipment works and should allow me to route traffic on an interface that’s logically separate from the management interfaces. I’ve been playing for a bit with the FIB features, but I’m getting hung up on IPv6. I’m trying to set up two interfaces on my box to each have a different FIB, and to not leak routes between the interfaces: # sysctl net.add_addr_allfibs=0 # ifconfig em1 inet 192.0.2.1/24 fib 1 # ifconfig em1 inet6 2001:db8:dead:beef::1/64 fib 1 # ifconfig em2 inet 203.0.113.1/24 fib 2 # ifconfig em2 inet6 2001:db8:cafe:babe::1/64 fib 2 If I then check the routing tables for each FIB, here’s what I get: # setfib -F 1 netstat -rn Routing tables (fib: 1) Internet: DestinationGatewayFlags Netif Expire 192.0.2.0/24 link#2 U em1 192.0.2.1 link#2 UHS lo0 Internet6: Destination Gateway Flags Netif Expire 2001:db8:cafe:babe::/64 link#3U em2 2001:db8:dead:beef::/64 link#2U em1 2001:db8:dead:beef::1 link#2UHS lo0 fe80::%em1/64 link#2U em1 fe80::a00:27ff:fef6:162a%em1 link#2UHS lo0 fe80::%em2/64 link#3U em2 fe80::%lo0/64 link#5U lo0 # setfib -F 2 netstat -rn Routing tables (fib: 2) Internet: DestinationGatewayFlags Netif Expire 203.0.113.0/24 link#3 U em2 203.0.113.1link#3 UHS lo0 Internet6: Destination Gateway Flags Netif Expire 2001:db8:cafe:babe::/64 link#3U em2 2001:db8:cafe:babe::1 link#3UHS lo0 2001:db8:dead:beef::/64 link#2U em1 fe80::%em1/64 link#2U em1 fe80::%em2/64 link#3U em2 fe80::a00:27ff:fe62:d267%em2 link#3UHS lo0 fe80::%lo0/64 link#5U lo0 Note that as expected, the IPv4 routes are constrained to their FIB (192.0.2.0 to FIB 1 and 203.0.113.0 to FIB 2). However, the IPv6 routes (deadbeef and cafebabe) leak between the FIBs; both prefixes that I add are listed in both FIBs (as well as the link-local stuff). According to: https://www.freebsd.org/news/status/report-2012-01-2012-03.html#Multi-FIB:-IPv6-Support-and-Other-Enhancements IPv6 parity is claimed for the FIB code, so I’m not sure if I’m doing it wrong, or if there’s a problem with the FIB code and IPv6 routes. Thanks in advance for any help or clarification! People simply broke it (again). Please file a bug report. You may mention that there are regression test scripts in src/tools/ somewhere to test all the cases for IPv6. — Bjoern A. Zeeb Charles Haddon Spurgeon: Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPv6 routes leaking between FIBs?
On 12/28/14 11:19 AM, Jason Healy wrote: Hello, Trying out FreeBSD for the first time to build a firewall box that’s multi-core and runs PF. I’m very interested in the FIB code, as it lines up well with the way my core networking equipment works and should allow me to route traffic on an interface that’s logically separate from the management interfaces. to some extent this is what it was written for.. teh fib code was written for Ironport/Cisco for separating the management port from the data ports onn their appliances, however the VNET code that came later is an even cleaner way of doing it and FIBs were only used by Ironport because VNET was not yet available.Have you tried vnet jails for interface isolation? I’ve been playing for a bit with the FIB features, but I’m getting hung up on IPv6. I’m trying to set up two interfaces on my box to each have a different FIB, and to not leak routes between the interfaces: # sysctl net.add_addr_allfibs=0 # ifconfig em1 inet 192.0.2.1/24 fib 1 # ifconfig em1 inet6 2001:db8:dead:beef::1/64 fib 1 # ifconfig em2 inet 203.0.113.1/24 fib 2 # ifconfig em2 inet6 2001:db8:cafe:babe::1/64 fib 2 If I then check the routing tables for each FIB, here’s what I get: # setfib -F 1 netstat -rn Routing tables (fib: 1) Internet: DestinationGatewayFlags Netif Expire 192.0.2.0/24 link#2 U em1 192.0.2.1 link#2 UHS lo0 Internet6: Destination Gateway Flags Netif Expire 2001:db8:cafe:babe::/64 link#3U em2 2001:db8:dead:beef::/64 link#2U em1 2001:db8:dead:beef::1 link#2UHS lo0 fe80::%em1/64 link#2U em1 fe80::a00:27ff:fef6:162a%em1 link#2UHS lo0 fe80::%em2/64 link#3U em2 fe80::%lo0/64 link#5U lo0 # setfib -F 2 netstat -rn Routing tables (fib: 2) Internet: DestinationGatewayFlags Netif Expire 203.0.113.0/24 link#3 U em2 203.0.113.1link#3 UHS lo0 Internet6: Destination Gateway Flags Netif Expire 2001:db8:cafe:babe::/64 link#3U em2 2001:db8:cafe:babe::1 link#3UHS lo0 2001:db8:dead:beef::/64 link#2U em1 fe80::%em1/64 link#2U em1 fe80::%em2/64 link#3U em2 fe80::a00:27ff:fe62:d267%em2 link#3UHS lo0 fe80::%lo0/64 link#5U lo0 Note that as expected, the IPv4 routes are constrained to their FIB (192.0.2.0 to FIB 1 and 203.0.113.0 to FIB 2). However, the IPv6 routes (deadbeef and cafebabe) leak between the FIBs; both prefixes that I add are listed in both FIBs (as well as the link-local stuff). According to: https://www.freebsd.org/news/status/report-2012-01-2012-03.html#Multi-FIB:-IPv6-Support-and-Other-Enhancements IPv6 parity is claimed for the FIB code, so I’m not sure if I’m doing it wrong, or if there’s a problem with the FIB code and IPv6 routes. Thanks in advance for any help or clarification! Jason ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
IPv6 routes leaking between FIBs?
Hello, Trying out FreeBSD for the first time to build a firewall box that’s multi-core and runs PF. I’m very interested in the FIB code, as it lines up well with the way my core networking equipment works and should allow me to route traffic on an interface that’s logically separate from the management interfaces. I’ve been playing for a bit with the FIB features, but I’m getting hung up on IPv6. I’m trying to set up two interfaces on my box to each have a different FIB, and to not leak routes between the interfaces: # sysctl net.add_addr_allfibs=0 # ifconfig em1 inet 192.0.2.1/24 fib 1 # ifconfig em1 inet6 2001:db8:dead:beef::1/64 fib 1 # ifconfig em2 inet 203.0.113.1/24 fib 2 # ifconfig em2 inet6 2001:db8:cafe:babe::1/64 fib 2 If I then check the routing tables for each FIB, here’s what I get: # setfib -F 1 netstat -rn Routing tables (fib: 1) Internet: DestinationGatewayFlags Netif Expire 192.0.2.0/24 link#2 U em1 192.0.2.1 link#2 UHS lo0 Internet6: Destination Gateway Flags Netif Expire 2001:db8:cafe:babe::/64 link#3U em2 2001:db8:dead:beef::/64 link#2U em1 2001:db8:dead:beef::1 link#2UHS lo0 fe80::%em1/64 link#2U em1 fe80::a00:27ff:fef6:162a%em1 link#2UHS lo0 fe80::%em2/64 link#3U em2 fe80::%lo0/64 link#5U lo0 # setfib -F 2 netstat -rn Routing tables (fib: 2) Internet: DestinationGatewayFlags Netif Expire 203.0.113.0/24 link#3 U em2 203.0.113.1link#3 UHS lo0 Internet6: Destination Gateway Flags Netif Expire 2001:db8:cafe:babe::/64 link#3U em2 2001:db8:cafe:babe::1 link#3UHS lo0 2001:db8:dead:beef::/64 link#2U em1 fe80::%em1/64 link#2U em1 fe80::%em2/64 link#3U em2 fe80::a00:27ff:fe62:d267%em2 link#3UHS lo0 fe80::%lo0/64 link#5U lo0 Note that as expected, the IPv4 routes are constrained to their FIB (192.0.2.0 to FIB 1 and 203.0.113.0 to FIB 2). However, the IPv6 routes (deadbeef and cafebabe) leak between the FIBs; both prefixes that I add are listed in both FIBs (as well as the link-local stuff). According to: https://www.freebsd.org/news/status/report-2012-01-2012-03.html#Multi-FIB:-IPv6-Support-and-Other-Enhancements IPv6 parity is claimed for the FIB code, so I’m not sure if I’m doing it wrong, or if there’s a problem with the FIB code and IPv6 routes. Thanks in advance for any help or clarification! Jason ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org