In 11.0-RELEASE-p10, IPv6 udp and tcp connectivity appears to be blocked between the host and guest jail. o ICMPv6 (e.g. ping) works in both directions o UDPv6 and TCPv6 are blocked in the direction master-host --> jail o If I try to initiate a TCP connection from the jail to the master host, I can see the SYN from the jail on the master host and the SYN-ACK from the master host back to the jail. BUT the jail never responds to the SYN-ACK. o If I try to initiate a TCP connection from the master host to the jail, I never see a SYN-ACK back from the jail. o UDPv6 and TCPv6 work fine from hosts outside of the master host (other hosts on the network) to the jail o UDPv4 and TCPv4 work fine between master host and jail o this problem is reproducible even if there is no firewall on the system (i.e. no ipfw/pf/ipf modules even loaded into the kernel) o This problem DOES NOT occur on 10.3-RELEASE-p19 (r317835) o This problem DOES NOT occur on 11-STABLE (r318822) o The only version where I can reproduce it is 11-RELEASE-p10 (yes I am confused about that too) o I used the exact same /etc/jail.conf file and /etc/rc.conf (and kernel config) on all three versions, on the same hardware, and got the results described above. o I can also reproduce the problem on other hosts, with other IPv[46] addresses, running 11-RELEASE-p10 TO REPRODUCE: o Install 11-RELEASE-p10 from source, using a kernel config with the following diffs from GENERIC: *** GENERIC Thu Apr 6 14:39:44 2017 --- 11_VIMAGE Thu Apr 6 15:58:52 2017 *************** *** 357,359 **** --- 357,367 ---- # The crypto framework is required by IPSEC device crypto # Required by IPSEC + + options VIMAGE + device epair + device if_bridge + + # The nullFS to mount local directory + options NULLFS + o Configure network interfaces (igb0 in this case) statically for both IPv4 and IPv6. The following /etc/jail.conf: # Generated by rc.d/jail at 2015-09-17 14:57:23 allow.raw_sockets = "1"; testjail { host.hostname = "testjail"; path = "/jails/testjail"; vnet; vnet.interface = "epair0b"; exec.clean; exec.system_user = "root"; exec.jail_user = "root"; exec.prestart += "ifconfig epair0 create up"; exec.prestart += "ifconfig bridge0 addm igb0 addm epair0a"; exec.prestart += "ifconfig epair0a up"; exec.poststop += "ifconfig bridge0 delete epair0a"; exec.poststop += "ifconfig epair0a destroy"; exec.start += "/sbin/ifconfig lo0 up"; exec.start += "/sbin/ifconfig epair0b inet <ipv4>/24 up"; exec.start += "/sbin/ifconfig epair0b inet6 -ifdisabled"; exec.start += "/sbin/ifconfig epair0b inet6 <ipv6>/64"; exec.start += "/sbin/route add default <v4gw>"; exec.start += "/sbin/route add -6 default <v6gw>"; exec.start += "/sbin/ifconfig epair0b inet6 -ifdisabled"; exec.start += "/sbin/ifconfig lo1 create"; exec.start += "/sbin/ifconfig lo1 inet <separate-svc-address>/32"; exec.start += "/sbin/ifconfig lo1 inet6 <separate svc-address> prefixlen 128"; exec.start += "/sbin/ifconfig lo1 down"; exec.start += "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.consolelog = "/var/log/jail_testjail_console.log"; mount.fstab = "/etc/jails/fstabs/testjail"; mount.devfs; allow.mount; allow.set_hostname = 1; allow.sysvipc = 0; } o Relevant configs in /etc/rc.conf: cloned_interfaces="bridge0 lo1" ifconfig_bridge0="up" jail_enable="YES" jail_list="testjail" I can share more configs and logs upon request.
11-RELEASE-p10 should predate 11-STABLE (r318822), so I can understand that this error would be limited to the release version. Am I missing something?
(In reply to Mark Linimon from comment #1) 10.3-RELEASE-p19 predates 11.0-RELEASE and 10.3-RELEASE-p19 works just fine, as I mentioned in the PR.
Unable to reproduce on 13-CURRENT. If this issue persists feel free to reopen this bug.