You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
46 lines
1.4 KiB
Markdown
46 lines
1.4 KiB
Markdown
7 years ago
|
---
|
||
|
|
layout: post
|
||
|
|
title: "IPv6 and Netgraph Ethernet pseudo-interface"
|
||
|
|
date: 2017-12-28 12:47:00 +0100
|
||
|
|
comments: true
|
||
|
|
categories:
|
||
|
|
---
|
||
|
|
|
||
|
|
On a NanoBSD firewall, I want to have a separate
|
||
|
|
MAC address on one of the Ethernet interfaces to
|
||
|
|
act as the outer endpoint for IPv6 traffic. This
|
||
|
|
is achieved using a Netgraph eiface:
|
||
|
|
|
||
|
|
```plain /etc/rc.local
|
||
|
|
kldload ng_ether
|
||
|
|
ngctl mkpeer sis0: bridge lower link0
|
||
|
|
ngctl name sis0:lower sis0bridge
|
||
|
|
ngctl connect sis0: sis0bridge: upper link1
|
||
|
|
ngctl mkpeer sis0bridge: eiface link2 ether
|
||
|
|
ngctl msg sis0: setpromisc 1
|
||
|
|
ngctl msg sis0: setautosrc 0
|
||
|
|
|
||
|
|
ifconfig ngeth0 link 06:00:00:00:00:06
|
||
|
|
```
|
||
|
|
|
||
|
|
Note that this does *not* include an ifconfig call to
|
||
|
|
set the interface's IPv6 address: this is done by
|
||
|
|
devd, which calls the boot scripts' ifconfig routine
|
||
|
|
when the interface comes up. Thus I have the following
|
||
|
|
line in /etc/rc.conf:
|
||
|
|
|
||
|
|
```plain /etc/rc.conf
|
||
|
|
ifconfig_ngeth0_ipv6="inet6 fe80::6/64"
|
||
|
|
```
|
||
|
|
|
||
|
|
If instead of this line I have an explicit ifconfig
|
||
|
|
in `/etc/rc.local` then there is a race condition between
|
||
|
|
rc.local and devd. If devd runs last, the boot scripts
|
||
|
|
won't see any IPv6 address configured for the newly
|
||
|
|
created interface in `/etc/rc.conf`, and they will set
|
||
|
|
`ifdisabled` on it (blocking all IPv6 traffic, and marking
|
||
|
|
the configured link local address as "tentative").
|
||
|
|
If devd runs first, the problem is dormant, because setting
|
||
|
|
the link local address clears `ifdisabled` as a side effect.
|
||
|
|
|