Re: icmp (IPv4) issues with VIMAGE JAILs and IPv6
On Tue, 29 Jan 2019 11:36:37 +0300 "Andrey V. Elsukov" wrote: > On 28.01.2019 15:44, O. Hartmann wrote: > > Stopping all jails, destroying all epairs and bridge0 doesn't change > > anything. The problems occured when IPv6 came into play on the specific > > host in question. > > > > Does anyone have any ideas? I'm out of ideas. > > Hi, > > I think I found the problem, the bug was introduced in r342908. > Can you try attached patch? > Sorry for responding so late. Thank you for digging into this problem - and finally having resolved it! Great. After the patch has been apllied, the system worked as expected. Thanks a lot. Regards, Oliver ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: icmp (IPv4) issues with VIMAGE JAILs and IPv6
On 28.01.2019 15:44, O. Hartmann wrote:
> Stopping all jails, destroying all epairs and bridge0 doesn't change anything.
> The problems occured when IPv6 came into play on the specific host in
> question.
>
> Does anyone have any ideas? I'm out of ideas.
Hi,
I think I found the problem, the bug was introduced in r342908.
Can you try attached patch?
--
WBR, Andrey V. Elsukov
Index: sys/netpfil/ipfw/ip_fw2.c
===
--- sys/netpfil/ipfw/ip_fw2.c (revision 343395)
+++ sys/netpfil/ipfw/ip_fw2.c (working copy)
@@ -1410,6 +1410,7 @@ ipfw_chk(struct ip_fw_args *args)
dst_ip.s_addr = 0; /* make sure it is initialized */
src_ip.s_addr = 0; /* make sure it is initialized */
+ src_port = dst_port = 0;
pktlen = m->m_pkthdr.len;
DYN_INFO_INIT(_info);
@@ -1688,7 +1689,6 @@ do {\
args->f_id.dst_ip = ntohl(dst_ip.s_addr);
} else {
proto = 0;
- src_port = dst_port = 0;
dst_ip.s_addr = src_ip.s_addr = 0;
args->f_id.addr_type = 1; /* XXX */
signature.asc
Description: OpenPGP digital signature
Re: icmp (IPv4) issues with VIMAGE JAILs and IPv6
On 28.01.2019 15:44, O. Hartmann wrote: > Stopping all jails, destroying all epairs and bridge0 doesn't change anything. > > The problems occured when IPv6 came into play on the specific host in > question. > > Does anyone have any ideas? I'm out of ideas. Since your ruleset is relatively simple, first of try to use "log" opcode for "deny" rules and look what happens in the /var/log/security. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: icmp (IPv4) issues with VIMAGE JAILs and IPv6
On 28 Jan 2019, at 12:44, O. Hartmann wrote: I ran into severe problems on CURRENT ( FreeBSD 13.0-CURRENT #193 r343521: Mon Jan 28 10:26:36 CET 2019 amd64), VIMAGE enabled host with jails utilizing IPv6. and you forget to mention in the subject that it seems to be an ipfw problem and thus missing your target audience most likely. Stopping all jails, destroying all epairs and bridge0 doesn't change anything. The problems occured when IPv6 came into play on the specific host in question. Does that mean you could reproduce the problem just with bce0 and no jail+vnets at all just with IPv4, IPv6, and ipfw on the main host? If you cannot, would starting a vnet-jail (without the bridge and connecting the epair), just starting a jail in persist mode, make a difference; or would strating a jail and applying the ipfw rules therein start the problem? Does anyone have any ideas? I'm out of ideas. y best guess is to move the thread to freebsd-ipfw (Cc: and Reply-To: set) and see if people pick it up there some more and also finding the minimalistic case to reproduce. /bz ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
