https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233341
Bug ID: 233341
Summary: 12.0-RC1 i386 vnet does not behave like the amd64 vnet
version.
Product: Base System
Version: 12.0-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: b...@freebsd.org
Reporter: qja...@a1poweruser.com
Created attachment 199362
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=199362&action=edit
pflog from host
symptoms= i386 vnet does not behave like the amd64 vnet version. The i386
version is flooding the host pflog with ipv4 MULTICAST requests and ipv6
Neighborhood requests. The amd64 version doesn't do that. On the i386 system
with all the vnet jails stopped and then issuing the shutdown command the
system takes a dump only if vnet jails had been started/stopped. This does not
happen on a amd64 system.
Configuration = I386 box running pf firewall with very simple rules that pass
and log all traffic. This I386 box is on private lan so no nat being done. Has
vnet jail running pf firewall with very simple rules that pass and log all
traffic.
Host config =
rc.conf
ifconfig_xl0="DHCP"
pf_enable="YES"
pflog_enable="YES"
pf_rules="/etc/pf.rules.host"
pflog_logfile="/var/log/pflog"
pf.rules.host
oif = "xl0"
set block-policy drop
set state-policy if-bound
set loginterface $oif
scrub out on $oif all random-id
scrub reassemble tcp
set skip on lo0
pass out log (all) quick
pass in log (all) quick
Vnet jail configuration
rc.conf
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pf.conf
oif=epair1b
set block-policy drop
set fail-policy drop
set state-policy if-bound
scrub in on $oif all
set skip on lo0
block out log quick on $oif inet proto tcp from any to any port 43
pass out log (all) quick
pass in log (all) quick
After the vnet jail is started I see this on the host
ipfconfig
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
options=82009<RXCSUM,VLAN_MTU,WOL_MAGIC,LINKSTATE>
ether 00:01:02:2f:c3:00
inet 10.0.10.6 netmask 0xfffffff0 broadcast 10.0.10.15
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33184
groups: pflog
bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST>
ether 02:2a:47:08:71:0a
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 7 priority 128 path cost 2000
member: xl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 2 priority 128 path cost 200000
groups: bridge
nd6 options=9<PERFORMNUD,IFDISABLED>
epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
options=8<VLAN_MTU>
ether 02:a0:73:db:2f:0a
inet6 fe80::a0:73ff:fedb:2f0a%epair1a prefixlen 64 scopeid 0x7
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ps ax
692 - DL 0:06.87 [pf purge]
1105 - Is 0:00.00 pflogd: [priv] (pflogd)
1106 - S 0:00.29 pflogd: [running] -s 116 -i pflog0
1409 - IsJ 0:00.01 pflogd: [priv] (pflogd)
1413 - SJ 0:00.31 pflogd: [running] -s 116 -i pflog0
1465 - SsJ 0:00.02 /usr/sbin/syslogd -ss
1521 - IsJ 0:00.03 /usr/sbin/cron -J 60 -s
After the vnet jail is started I see this on the vnet console
ipfconfig
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33184
groups: pflog
epair1b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST>
options=8<VLAN_MTU>
ether 02:a0:73:db:2f:0b
inet 10.0.10.31 netmask 0xff000000 broadcast 10.255.255.255
inet6 fe80::a0:73ff:fedb:2f0b%epair1b prefixlen 64 scopeid 0x3
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
******************************************************
>From the vnet console I issue this command.
ping -c 2 freebsd.org
PING freebsd.org (96.47.72.84): 56 data bytes
64 bytes from 96.47.72.84: icmp_seq=0 ttl=46 time=39.367 ms
64 bytes from 96.47.72.84: icmp_seq=1 ttl=46 time=39.096 ms
--- freebsd.org ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 39.096/39.231/39.367/0.135 ms
Then I looked at the pflog on the host and in the vnet jail
to see the ping packets and what I see is a flood of other
ipv4 and ipv6 packets. The ipv6 packet flood was there in 11.x i386
and now in 12.0 there is a flood of ipv4 packets. There is a bug report
about the ipv6 packet flood in 11.x. A lot of network resources are
being consumed making this background noise. Looks like originating
from vimage.
The pflog host report is attached as separate file.
pflog.txt.bug1.host
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
