-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPv6 broken under bhyve unless allow_ip_spoofing is set. #930
Comments
It may be a bit before I can dig into this, but if you want to play around in the meantime, the following D script might help identify what's failing
|
So do each of these separate like:
Doesn't seem to work, but given the self->trace I assume I need to have them multiline somehow? |
should be able to put them into a file and run with |
OK, figured it out. Add it all to a file and call
|
That was captured during boot and trying to load an ipv6 webpage |
That first success is actually interesting... maybe try this (hopefully no bugs):
|
|
I corrected it since autocorrect was so unhelpfully altering the code.. try it again.. |
Those addresses are indeed what I have in the vm:
|
hrm...
|
|
I think we want arg1 here? Edit: same error, so I guess not. |
I removed the
|
What specific method are you using to obtain the IPv6 address? |
In this case just slaac, with dns server over dhcpv6 (so no addresses via dhcpv6) But the addresses in the ipconfig are slaac. From what it looks like windows first tries to reach the internet via the temp address and then switch to the normal one afterwards (probably as a fallback) |
It was probably IIUC, it should be detecting and adding the SLAAC address -- which should happen via the |
Maybe broaden our scope a bit... see which of these fires..
|
Oddly enough it also returns the above if I disable the dhcpv6 server. It gets the slaac address in both cases and also DNS, so I'm not even sure windows 10 needs dhcpv6. |
If the VM is sending out a DHCPv6 query, then it would make sense -- that's capturing the outbound traffic. From what I can tell, the address restriction bits act somewhat analogous to a very small stateful firewall in that it tracks the outbound requests and responses. So it looks at the inbound and outbound DHCP packets, and a valid DHCP server response adds the IP to the allowed list of the VM. It does look like I missed a probe in the above script which might help as well, so another one to try:
|
|
As mentioned on IRC:
|
Some additional info here.
Maybe what we're looking at here is simply that The link properties are the same though.
|
But it was seeing the traffic right? So the layer underneath bhyve/kvm is aware of the addrconf configured address? |
@sjorge I'm not sure which "it" you mean. Both kvm and bhyve receive neighbor-solicitations (because they happen over link-local addresses), and respond with neighbor-advertisements, which can be seen with
|
Today on #smartos Alasdair was asking about some odd behavior he was seeing.
I was able to replicate the behavior, it seems to effect both windows and linux so it is probably a issue on the illumos side.
With an interface configured for dhcp and addrconf (slaac or dhcpv6):
The interface comes up and gets both a ipv4 and ipv6 address, but that is roughly where it stops.
No IPv6 global or local-link address can be reached, ipv4 is working fine.
After setting
allow_ip_spoofing
to true and rebooting the vm everything is working fine. (easy to check by going to https://test-ipv6.com)You can even play with this on a live VM, starting the vm without
allow_ip_spoofing
set to true.Notice IPv6 is broken, then toggle it from the global zone:
And imediatly IPv6 starts working.
The text was updated successfully, but these errors were encountered: