Regression with jails/IPv6/pf
Mike Andrews
mandrews at bit0.com
Thu Jul 26 20:52:55 UTC 2012
On 7/26/2012 2:45 PM, Matthew Seaman wrote:
> So, I tried to do a routine update to the latest stable/9 yesterday
> (r238771), and I found that access to the jail on my server had stopped
> working. Everything else seemed to be fine, and reverting to the
> previous system (r237456 from 2012-06-22 (Boot Environments FTW)) bought
> it all back to life.
>
> After spending most of today bisecting versions and compiling kernels,
> I found:
>
> r238177 worked absolutely fine
>
> r238236 accessing the jail worked, but everything was slow, as if
> DNS queries were timing out.
>
> r238246 lots of network timeouts everywhere: accessing the jail
> failed, but then so did accessing the main host. So much
> so that svn couldn't update properly.
>
> r238256 worked fine for accessing the main host, but failed when
> trying to access the jail.
>
> Looks like this seems to have been introduced in a batch of commits
> MFC'd by bz@ (CC'd) around then.
>
> Now, this jail is set up in an unusual way, which is why I guess I'm the
> first person to be affected. For starters, it only has IPv6
> connectivity, and secondly, because I'm running some daemons there I
> don't want listening on an external network socket, it's bound to the
> loopback and I use firewall redirection to send traffic to it.
Sounds like what I hit and filed kern/170070 on -- basically a host not
being able to talk to itself on IPv6, except on the ::1 address.
Workaround: ifconfig lo0 -txcsum6 -rxcsum6
or in /etc/rc.conf:
ifconfig_lo0="inet 127.0.0.1/8 -txcsum6 -rxcsum6"
More information about the freebsd-stable
mailing list