From e2a0c11383f8c19c97dbd1467df96cef98f6d127 Mon Sep 17 00:00:00 2001 From: Thomas Quinot Date: Thu, 28 Dec 2017 13:06:12 +0100 Subject: [PATCH] New article on ngeth --- ...etgraph-ethernet-pseudo-interface.markdown | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 source/_posts/2017-12-28-ipv6-and-netgraph-ethernet-pseudo-interface.markdown diff --git a/source/_posts/2017-12-28-ipv6-and-netgraph-ethernet-pseudo-interface.markdown b/source/_posts/2017-12-28-ipv6-and-netgraph-ethernet-pseudo-interface.markdown new file mode 100644 index 0000000..09ea104 --- /dev/null +++ b/source/_posts/2017-12-28-ipv6-and-netgraph-ethernet-pseudo-interface.markdown @@ -0,0 +1,45 @@ +--- +layout: post +title: "IPv6 and Netgraph Ethernet pseudo-interface" +date: 2017-12-28 12:47:00 +0100 +comments: true +categories: +--- + +On a NanoBSD firewall, I want to have a separate +MAC address on one of the Ethernet interfaces to +act as the outer endpoint for IPv6 traffic. This +is achieved using a Netgraph eiface: + +```plain /etc/rc.local +kldload ng_ether +ngctl mkpeer sis0: bridge lower link0 +ngctl name sis0:lower sis0bridge +ngctl connect sis0: sis0bridge: upper link1 +ngctl mkpeer sis0bridge: eiface link2 ether +ngctl msg sis0: setpromisc 1 +ngctl msg sis0: setautosrc 0 + +ifconfig ngeth0 link 06:00:00:00:00:06 +``` + +Note that this does *not* include an ifconfig call to +set the interface's IPv6 address: this is done by +devd, which calls the boot scripts' ifconfig routine +when the interface comes up. Thus I have the following +line in /etc/rc.conf: + +```plain /etc/rc.conf +ifconfig_ngeth0_ipv6="inet6 fe80::6/64" +``` + +If instead of this line I have an explicit ifconfig +in `/etc/rc.local` then there is a race condition between +rc.local and devd. If devd runs last, the boot scripts +won't see any IPv6 address configured for the newly +created interface in `/etc/rc.conf`, and they will set +`ifdisabled` on it (blocking all IPv6 traffic, and marking +the configured link local address as "tentative"). +If devd runs first, the problem is dormant, because setting +the link local address clears `ifdisabled` as a side effect. +