Bug 212031 - 11.0-RC1: vimage jail with ipfw flooded with repeated ipv6 packets
Summary: 11.0-RC1: vimage jail with ipfw flooded with repeated ipv6 packets
Status: Closed Overcome By Events
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 11.0-RC1
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-21 20:00 UTC by Joe Barbish
Modified: 2018-12-04 21:36 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Joe Barbish 2016-08-21 20:00:43 UTC
Tested on 11.0-RC1 with only vimage compiled into the kernel.
Tested ipfw in vnet jail and no firewall on host.
Tested ipfw in vnet jail and on the host.



Testing no ipfw firewall running on host, just in vnet jail.

When starting vnet jail with ipfw, I check if ipfw kernel modules are
loaded, if not them I load them. Auto loading of modules does not happen.


No ipfw logging takes place in the vnet jail or on the host.

Issuing the "ipfw show" command from the started vnet jail console shows this
v84 /root >ipfw show
00050 0   0 check-state
00060 0   0 allow ip from any to any via lo0
00070 0   0 deny log tcp from any to any dst-port 43 out via epair26b
00080 0   0 allow log ip from any to any via epair26b keep-state
00090 0   0 allow log ip from any to any keep-state
00099 0   0 allow log ip from any to any


Issuing the "ping" command from the started vnet jail console works.

Issuing the "whois" command from the started vnet jail console does not work.
It just hangs until ctl/c to break free. But the "ipfw show" shows counts
incressing. This is because the whois command does a dns lookup first and
those packets are not blocked.

v84 /root >whois 8.8.8.8
^C
v84 /root >ipfw show
00050 0   0 check-state
00060 0   0 allow ip from any to any via lo0
00070 0   0 deny log tcp from any to any dst-port 43 out via epair26b
00080 3 180 allow log ip from any to any via epair26b keep-state
00090 0   0 allow log ip from any to any keep-state
00099 0   0 allow log ip from any to any
65535 4 320 deny ip from any to any

This would seem to indicate that the ipfw rules in a vnet jail are 
functioning even though there is no log file to view.



Testing ipfw firewall running on host and vnet jail.

Issuing the "ipfw show" command from the host console shows this
 /root >ipfw show
00001  0    0 check-state
00002  0    0 allow ip from any to any via lo0
00003  0    0 deny ip from 10.0.10.4 to any
00004 16 2192 allow log ip from any to any via fxp0 keep-state
00005  9  740 allow log ip from any to any keep-state
65535  0    0 deny ip from any to any

Issuing the "ipfw show" command from the started vnet jail
console shows this
v84 /root >ipfw show
00050 0   0 check-state
00060 0   0 allow ip from any to any via lo0
00070 0   0 deny log tcp from any to any dst-port 43 out via epair26b
00080 0   0 allow log ip from any to any via epair26b keep-state
00090 0   0 allow log ip from any to any keep-state
00099 0   0 allow log ip from any to any
65535 7 604 deny ip from any to any

Take note of the different rule numbers between the jail rules and the hosts rules. This is done so I can tell in the ipfw log file who is issuing the logged records.

The hosts ipfw log, logs this on vnet jail startup. 

 5 Accept ICMPv6:143.0 [::] [ff02::16] out via epair26a
 5 Accept ICMPv6:143.0 [::] [ff02::16] out via epair26a
 5 Accept ICMPv6:135.0 [::] [ff02::1:ff00:40a] out via epair26a
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:40a] [ff02::16] out via epair26a
80 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] out via epair26b
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] in via epair26a
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] in via epair26a
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] out via bridge0
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] out via fxp0
 5 Accept ICMPv6:143.0 [fe80::c1:ff:fe00:50b] [ff02::16] in via epair26a
 4 Accept UDP [fe80::d950:d6dc:db92:f20d]:546 [ff02::1:2]:547 in via fxp0
 4 Accept UDP [fe80::d950:d6dc:db92:f20d]:546 [ff02::1:2]:547 in via fxp0
 4 Accept UDP [fe80::d950:d6dc:db92:f20d]:546 [ff02::1:2]:547 out via bridge0
 4 Accept UDP [fe80::d950:d6dc:db92:f20d]:546 [ff02::1:2]:547 out via epair26a

These log messages are repeated in cycles for the whole time the vnet jail
is running. 
 
Issuing the "ping" command from the started vnet jail console works and the
hosts ipfw log shows this
80 Accept ICMP:8.0 10.26.0.2 8.8.8.8 out via epair26b
 5 Accept ICMP:8.0 10.26.0.2 8.8.8.8 in via epair26a
 5 Accept ICMP:8.0 10.26.0.2 8.8.8.8 out via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 in via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 in via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 out via bridge0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 out via epair26a
80 Accept ICMP:0.0 8.8.8.8 10.26.0.2 in via epair26b
80 Accept ICMP:8.0 10.26.0.2 8.8.8.8 out via epair26b
 5 Accept ICMP:8.0 10.26.0.2 8.8.8.8 in via epair26a
 5 Accept ICMP:8.0 10.26.0.2 8.8.8.8 out via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 in via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 in via fxp0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 out via bridge0
 5 Accept ICMP:0.0 8.8.8.8 10.26.0.2 out via epair26a

Issuing the "ipfw show" command from the started vnet jail
console after the ping command shows this
v84 /root >ipfw show
00050  0    0 check-state
00060  0    0 allow ip from any to any via lo0
00070  0    0 deny log tcp from any to any dst-port 43 out via epair26b
00080 45 5960 allow log ip from any to any via epair26b keep-state
00090  0    0 allow log ip from any to any keep-state
00099  0    0 allow log ip from any to any
65535  7  604 deny ip from any to any

Issuing the "ipfw show" command from the host console after the ping command shows this
/root >ipfw show
00001   0     0 check-state
00002   0     0 allow ip from any to any via lo0
00003   0     0 deny ip from 10.0.10.4 to any
00004 242 29152 allow log ip from any to any via fxp0 keep-state
00005  33  2756 allow log ip from any to any keep-state
65535   0     0 deny ip from any to any

Issuing the "whois" command from the started vnet jail console works,
in that the command is blocked. This is what is shown
v84 /root >whois 8.8.8.8
whois: connect(): Operation timed out

Looks like things are working as expected.

 

Problems.
1. Why is the vnet jail issuing all that ipv6 traffic? This should only happen if the vnet jail has a ipv6 address coded in this vnet jail’s jail.conf definition. This flood of background nose slows down the vnet jail processing of packets. This flood of ipv6 packets is also seen by the pf and ipfilter firewalls when they are run in a vnet jail. Looks like vimage is doing this.

2. Why does ipfw in the vnet jail not log to a log file in the vnet jails    /var/log directory? Having all the vnet jails log records intermingling with each other and with the hosts log records in the hosts ipfw log file will soon become unmanageable as users adds more vnet jails to the host.

3. To have vnet jail ipfw logging, the user is forced to also run ipfw on the host.