From owner-freebsd-questions@freebsd.org  Thu Dec 10 19:37:39 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id F37C44B4343
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Thu, 10 Dec 2020 19:37:39 +0000 (UTC)
 (envelope-from philipp@bureaucracy.de)
Received: from bureaucracy.bureaucracy.de (bureaucracy.bureaucracy.de
 [IPv6:2a02:180:1:1::517:b8d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "bureaucracy.bureaucracy.de",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CsPMQ5lZwz4smj
 for <freebsd-questions@freebsd.org>; Thu, 10 Dec 2020 19:37:38 +0000 (UTC)
 (envelope-from philipp@bureaucracy.de)
Received: from localhost (localhost [::1])
 by bureaucracy.bureaucracy.de (OpenSMTPD) with ESMTP id 69a8282a
 for <freebsd-questions@freebsd.org>;
 Thu, 10 Dec 2020 20:37:28 +0100 (CET)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 5b715db0
 for <freebsd-questions@freebsd.org>;
 Thu, 10 Dec 2020 19:37:28 +0000 (UTC)
From: satanist <satanist+freebsd@bureaucracy.de>
To: freebsd-questions@freebsd.org
Subject: Re: Jail, VNET and IPv6
In-reply-to: <X9HqnHRReRE34Nw5@mithril>
References: <X9HqnHRReRE34Nw5@mithril>
Comments: In-reply-to Jacques Foucry <jacques+freebsd@foucry.net> message
 dated "Thu, 10 Dec 2020 10:30:04 +0100."
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-ID: <3613.1607629048.1@localhost>
Content-Transfer-Encoding: quoted-printable
Date: Thu, 10 Dec 2020 20:37:28 +0100
Message-Id: <614a17bac6f5e561@localhost>
X-Rspamd-Queue-Id: 4CsPMQ5lZwz4smj
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of philipp@bureaucracy.de has no SPF policy
 when checking 2a02:180:1:1::517:b8d) smtp.mailfrom=philipp@bureaucracy.de
X-Spamd-Result: default: False [0.70 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3];
 NEURAL_HAM_SHORT(-1.00)[-1.000];
 FORGED_SENDER(0.30)[satanist@bureaucracy.de,philipp@bureaucracy.de];
 RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[];
 RBL_DBL_DONT_QUERY_IPS(0.00)[2a02:180:1:1::517:b8d:from];
 MIME_TRACE(0.00)[0:+];
 FROM_NEQ_ENVFROM(0.00)[satanist@bureaucracy.de,philipp@bureaucracy.de];
 ASN(0.00)[asn:35366, ipnet:2a02:180::/32, country:DE];
 TAGGED_FROM(0.00)[freebsd]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1];
 SPAMHAUS_ZRD(0.00)[2a02:180:1:1::517:b8d:from:127.0.2.255];
 DMARC_NA(0.00)[bureaucracy.de]; NEURAL_SPAM_LONG(1.00)[1.000];
 R_SPF_NA(0.00)[no SPF record]; MID_RHS_NOT_FQDN(0.50)[];
 MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2020 19:37:40 -0000

Hi Jacques

[2020-12-10 10:30] Jacques Foucry <jacques+freebsd@foucry.net>
> I manage on a hosted server many =C2=AB clasical =C2=BB jail with ip adre=
sses as alias of
> em0.
>
> I would like to make a new jail, but using VNET and ipv6. All my tries fa=
iled
> :-( IPv4 work great but IPv6 not.

Would be nice if you share the concept of your network setup. As far as
I have understand from your mail it looks like this:

                                       ------------
                                       | Jail     |
[em0] <-> [bridge0] <-> [epair10a] <-> |[epair10b]|
                                       ------------
> netstat -rn
> [v4output]
>
> Internet6:
> Destination                       Gateway                       Flags    =
 Netif Expire
> [v6routes]
> 2a01:4f9:4a:1fd8::/64             link#1                        U        =
   em0

I think here is the problem. You have the route to your jail on the em0
interface and not on the bridge. Handbook[0] says:

> If the bridge host needs an IP address, set it on the bridge interface,
> not on the member interfaces.

I would asume this is also true for routes. I asume if you _send_ packages
on em0 they never reache the bridge.

> ifconfig
> em0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric =
0 mtu 1500
> 	options=3D81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_=
HWFILTER>
> 	ether b4:2e:99:6a:80:9d
> 	inet6 2a01:4f9:4a:1fd8::2 prefixlen 64
> 	inet6 fe80::b62e:99ff:fe6a:809d%em0 prefixlen 64 scopeid 0x1
> 	inet6 2a01:4f9:4a:1fd8::16 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::21 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::12 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::29 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::15 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::11 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::22 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::17 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::28 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::18 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::19 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::25 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::5 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::14 prefixlen 64
> 	inet 95.217.83.231 netmask 0xffffffc0 broadcast 95.217.83.255
> 	media: Ethernet autoselect (1000baseT <full-duplex>)
> 	status: active
> 	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
> [other interfaces]
> bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mt=
u 1500
> 	description: vnet-jail-bridge
> 	ether 02:36:b3:c1:8a:00
> 	inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
> 	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> 	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> 	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> 	member: em0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> 	        ifmaxaddr 0 port 1 priority 128 path cost 20000
> 	groups: bridge
> 	nd6 options=3D1<PERFORMNUD>

For v6 the adresses are on em0 for v4 they are on bridge0. Therefore
v4 works but v6 don't.

> As you can see thereis a bridge (bridg0) with an IPv4 10.0.0.1/24. PF ass=
ume
> the nat fonction for this range to 10.0.010/24 the new jail IPv4.

Thise seames strange. You bridge your internal network to the external,
but also NAT the internel Network. This has some odd side effects. Your
Jails can ackt like a Host on your upstream-network and every host on
your upstream-network can ackt like it's just an other jail.

> [jail config]
>    exec.start       +=3D "/sbin/ifconfig epair${id}b ${ipaddr} netmask ${=
mask} up";
> [...]
>
> epair10a on the host:
>
> epair10a: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> me=
tric 0 mtu 1500
> 	description: vnet-jitsi
> 	options=3D8<VLAN_MTU>
> 	ether 02:dc:c8:b1:ac:0a
> 	inet6 fe80::dc:c8ff:feb1:ac0a%epair10a prefixlen 64 scopeid 0x6
> 	groups: epair
> 	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
> 	status: active
> 	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>

Again the problem with addresses on interfaces in a bridge.

> I must miss something, or misunderstood something=E2=80=A6
>
> Any advices are welcome. =


If you want to continue with a bridged setup I would say you need to
move the ipv6 config from em0 to bridge0. I would recommend to switch
to a routed setup.

satanist

[0] https://www.freebsd.org/doc/handbook/network-bridging.html