[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Local IPv6 routes are not set properly



I have a host with several jails. Some of them only need to be reachable
from other jails (e.g. a shared database server). Being an IPv6
advocate, of course I want the jails to communicate via IPv6 with each
other. Every jail has a manually set, public IPv6 address (which is
firewalled) on the host's physical NIC. And an internal fc00::/8
address, for internal services on a cloned loopback device.

To be able to reach IPv4-only hosts from within a jail, I set up a NAT
to local IPv4 addresses (127.0.0.1/8) on cloned interfaces.

There are some reasons for this rather strange setup:

.)
In case a jail gets hacked, nobody should be able to read traffic from
other jails which are communicating locally. This is just on spec, I
have not done any research on the exact behaviour of cloned interfaces.

.)
It feels better when the internal services just listen on globally
non-routable private addresses.


Unfortunately I cannot reach services which listen only on fc00::/8
addresses within a jail. Neither from the host, nor from a jail, nor
from within the jail that opened the socket. Apparently the reason for
that is that the routing table is not set properly for IPv6 addresses.
Everything IPv4 related looks and works like expecteezd. I did a reboot
to ensure that nothing has been set manually.

Here is a the relevant line from the ezjail config
 jail_$jailname_ip="lo3|127.0.0.4,lo3|fc00::db,vtnet0|2001:xxxx:xxxx:xxxx:xxxx::db"


To my understanding this should set 127.0.0.4 for lo3 (which works as
expected) and fc00::db for lo3. But fc00::db is set on lo0.

The alias for vtnet0 (the host NIC) is set as alias and works as expected.


This is the output from netstat -rn within a jail.

netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
127.0.0.4          link#5             UH          lo3

Internet6:
Destination                      Gateway Flags   Netif Expire
2001:xxxx:xxxx:xxxx:xxxx::db     link#1  UHS      lo0  fc00::db
                link#5  UHS      lo0


This from
netstat -rn | grep db on the host

2001:xxxx:xxxx:xxxx:xxxx::db     link#1   UHS   lo0
fc00::db                         link#5   UHS         lo0
ff01::%lo3/32                    fc00::db U           lo3
ff02::%lo3/32                    fc00::db U           lo3

To my understanding the IPv6 addresses should be set to lo3 not lo0. Is
this a bug, or am I missing something?

Regards,
Manuel