From nobody Tue Jan 02 07:51:34 2024
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T44np6znjz56XJ6
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Tue,  2 Jan 2024 07:52:30 +0000 (UTC)
	(envelope-from Alexander@Leidinger.net)
Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits)
	 client-signature ECDSA (P-256))
	(Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4T44np59c6z3Xxl
	for <freebsd-current@freebsd.org>; Tue,  2 Jan 2024 07:52:30 +0000 (UTC)
	(envelope-from Alexander@Leidinger.net)
Authentication-Results: mx1.freebsd.org;
	none
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net;
	s=outgoing-alex; t=1704181944;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=F/P9zMUN5PaqJi8OOQwR85BBpf+rpe38h/sBCwvhoMA=;
	b=o7Mp8iVnoOdp3oLqHLwp6SIJ9Kj6xLCR7irilpnf+r9ykSwYJpnJkc8ZqAr3BUDQY258nb
	ZNQZ1D/zpiNJRblbO1RNGpmzvjnJWSo63duekdEIW+FrGiOtV1UYbJuJhFuVoKwK2ad2QO
	TWF86iJfp6JT3YHR8ttxK6N3aCFjp2BtUBz+Ooxmxqie2p9yIvkv3NPCf8J7p4kSRb3B/T
	FyFiAY9FhETaTAKB45cQQttfyla1kQK7m1fPjYoofcJz22A6BytWIy6oRpSmA+/7dEOXdy
	WCGNaW35k7iDWPre6YiHRdKtFq94/ZjiZ0iTD1rZkmVOZhbSBcOr/laL/9i51w==
Date: Tue, 02 Jan 2024 08:51:34 +0100
From: Alexander Leidinger <Alexander@Leidinger.net>
To: Lexi Winter <lexi@le-fay.org>
Cc: freebsd-current@freebsd.org
Subject: Re: bridge(4) and IPv6 broken?
In-Reply-To: <ZZNNdHjQdNgaSIlu@ilythia.eden.le-fay.org>
References: <ZZNNdHjQdNgaSIlu@ilythia.eden.le-fay.org>
Message-ID: <fb54f93264e86bd15ee7a0ddb91c7448@Leidinger.net>
Organization: No organization, this is a private message.
Content-Type: multipart/signed;
 protocol="application/pgp-signature";
 boundary="=_8cbf11b68ead8080bbdc8cbe667837d8";
 micalg=pgp-sha256
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE]
X-Spamd-Bar: ----
X-Rspamd-Queue-Id: 4T44np59c6z3Xxl

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

--=_8cbf11b68ead8080bbdc8cbe667837d8
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
 format=flowed

Am 2024-01-02 00:40, schrieb Lexi Winter:
> hello,
> 
> i'm having an issue with bridge(4) and IPv6, with a configuration which
> is essentially identical to a working system running releng/14.0.
> 
> ifconfig:
> 
> lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 
> 16384
> 	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
> 	inet 127.0.0.1 netmask 0xff000000
> 	inet6 ::1 prefixlen 128
> 	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
> 	groups: lo
> 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> pflog0: flags=1000141<UP,RUNNING,PROMISC,LOWER_UP> metric 0 mtu 33152
> 	options=0
> 	groups: pflog
> alc0: 
> flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> 
> metric 0 mtu 1500
> 	options=c3098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MCAST,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
> 	ether 30:9c:23:a8:89:a0
> 	inet6 fe80::329c:23ff:fea8:89a0%alc0 prefixlen 64 scopeid 0x3
> 	media: Ethernet autoselect (1000baseT <full-duplex>)
> 	status: active
> 	nd6 options=1<PERFORMNUD>
> wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 
> 1420
> 	options=80000<LINKSTATE>
> 	inet 172.16.145.21 netmask 0xffffffff
> 	inet6 fd00:0:1337:cafe:1111:1111:829a:595e prefixlen 128
> 	groups: wg
> 	tunnelfib: 1
> 	nd6 options=101<PERFORMNUD,NO_DAD>
> bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> 
> metric 0 mtu 1500
> 	options=0
> 	ether 58:9c:fc:10:ff:b6
> 	inet 10.1.4.101 netmask 0xffffff00 broadcast 10.1.4.255
> 	inet6 2001:8b0:aab5:104:3::101 prefixlen 64
> 	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> 	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> 	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> 	member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> 	        ifmaxaddr 0 port 6 priority 128 path cost 2000000
> 	member: alc0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> 	        ifmaxaddr 0 port 3 priority 128 path cost 55
> 	groups: bridge
> 	nd6 options=1<PERFORMNUD>
> tap0: flags=9903<UP,BROADCAST,PROMISC,SIMPLEX,LINK0,MULTICAST> metric 0 
> mtu 1500
> 	options=80000<LINKSTATE>
> 	ether 58:9c:fc:10:ff:89
> 	groups: tap
> 	media: Ethernet 1000baseT <full-duplex>
> 	status: no carrier
> 	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> 
> the issue is that the bridge doesn't seem to respond to IPv6 ICMP
> Neighbour Solicitation.  for example, while running ping, tcpdump shows
> this:
> 
> 23:30:16.567071 58:9c:fc:10:ff:b6 > 1e:ab:48:c1:f6:62, ethertype IPv6 
> (0x86dd), length 70: 2001:8b0:aab5:104:3::101 > 2001:8b0:aab5:106::12: 
> ICMP6, echo request, id 34603, seq 13, length 16
> 23:30:16.634860 1e:ab:48:c1:f6:62 > 33:33:ff:00:01:01, ethertype IPv6 
> (0x86dd), length 86: fe80::1cab:48ff:fec1:f662 > ff02::1:ff00:101: 
> ICMP6, neighbor solicitation, who has 2001:8b0:aab5:104:3::101, length 
> 32
> 23:30:17.567080 58:9c:fc:10:ff:b6 > 1e:ab:48:c1:f6:62, ethertype IPv6 
> (0x86dd), length 70: 2001:8b0:aab5:104:3::101 > 2001:8b0:aab5:106::12: 
> ICMP6, echo request, id 34603, seq 14, length 16
> 23:30:17.674842 1e:ab:48:c1:f6:62 > 33:33:ff:00:01:01, ethertype IPv6 
> (0x86dd), length 86: fe80::1cab:48ff:fec1:f662 > ff02::1:ff00:101: 
> ICMP6, neighbor solicitation, who has 2001:8b0:aab5:104:3::101, length 
> 32
> 23:30:17.936956 1e:ab:48:c1:f6:62 > 33:33:00:00:00:01, ethertype IPv6 
> (0x86dd), length 166: fe80::1cab:48ff:fec1:f662 > ff02::1: ICMP6, 
> router advertisement, length 112
> 23:30:18.567093 58:9c:fc:10:ff:b6 > 1e:ab:48:c1:f6:62, ethertype IPv6 
> (0x86dd), length 70: 2001:8b0:aab5:104:3::101 > 2001:8b0:aab5:106::12: 
> ICMP6, echo request, id 34603, seq 15, length 16
> 23:30:19.567104 58:9c:fc:10:ff:b6 > 1e:ab:48:c1:f6:62, ethertype IPv6 
> (0x86dd), length 70: 2001:8b0:aab5:104:3::101 > 2001:8b0:aab5:106::12: 
> ICMP6, echo request, id 34603, seq 16, length 16
> 23:30:19.567529 1e:ab:48:c1:f6:62 > 33:33:ff:00:01:01, ethertype IPv6 
> (0x86dd), length 86: fe80::1cab:48ff:fec1:f662 > ff02::1:ff00:101: 
> ICMP6, neighbor solicitation, who has 2001:8b0:aab5:104:3::101, length 
> 32
> 
> fe80::1cab:48ff:fec1:f662 is the subnet router; it's sending
> solicitations but FreeBSD doesn't send a response,
> 
> if i remove alc0 from the bridge and configure the IPv6 address 
> directly
> on alc0 instead, everything works fine.
> 
> i'm testing without any packet filter (ipfw/pf) in the kernel.
> 
> it's possible i'm missing something obvious here; does anyone have an
> idea?

Just an idea. I'm not sure if it is the right track...

There is code in the kernel which is ignoring NS stuff from "non-valid" 
sources (security / spoofing reasons). The NS request is from a link 
local address. Your bridge has no link local address (and your tap has 
the auto linklocal flag set which I would have expected to be on the 
bridge instead). I'm not sure but I would guess it could be because of 
this.

If my guess is not too far off, I would suggest to try:
  - remove auto linklocal from tap0 (like for alc0)
  - add auto linklocal to bridge0

If this doesn't help, there is the sysctl 
net.inet6.icmp6.nd6_onlink_ns_rfc4861 which you could try to set to 1. 
Please read 
https://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc 
before you do that.

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF

--=_8cbf11b68ead8080bbdc8cbe667837d8
Content-Type: application/pgp-signature;
 name=signature.asc
Content-Disposition: attachment;
 filename=signature.asc;
 size=833
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmWTwJYACgkQEg2wmwP4
2IazGg/8DArWfskxI9N175ADM3IIzb//ggHsRGqMwlkPfZNq/kH3P1fItv4W/dGZ
EPQx70vlHVbFgl7HkmWGkyvaG77Sp1zkB/TRT+a1408GsixRuqz4wO8z9hmh7Z8P
28OUCdSGose6EjVifE7ba9H3kl9UVFvHaXHxuIzqwGf/3QfEf9ZNF9m9f/I0xerB
NItX3SzsHJX8jBaM073uWCEccjKqQrhOzeN0mLJpCuNMAoFyKSCJWQWuYqwtYwEX
/Bki8nuR4YcHStIJn0Se5Ti196CqasL/KCBdwXa2GzXu7PUGEoF57wg39/CgEmR2
mTYrbzMV+DKoW1NIsWzVfiIwUqI+nQd8Vt08+uYBbLG/vssIxINarmJmvaugLv+A
XIsEw+7764oQxEQCZFJm+/kWVosboob2x+MdzkENnUucmbo29kKYudW6z3T6b6U9
N/HKc9YGOW89LAnmBCMZ7qZ/OWDMsI3GfkzudJDMtJaxGghYJ9m7b/jCbVgZosNz
D9OCXiF3jTd/lnZtYh3J3/CnMGlVV/UAPSWbCEx/TlVeOKMsHU0FhdbMAT4/R0+l
mU7i6rE847GoRsqymDgSsH8J/cKMs5v6pqQFzG3++eI4qX8/dsZd7aErCLocB7Bj
t4851WUv4l3taJFXBJEa2sc+tpkHSa3rF9SKWD6fPqziPGeffNw=
=KiUa
-----END PGP SIGNATURE-----

--=_8cbf11b68ead8080bbdc8cbe667837d8--