nix/ssh-tunnel: Prevent IPv6 address generation #508
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a regression with kernel versions 4.5 or later which causes a SSH tunnel to drop packets within the receiving end of the OpenSSH server loop, more exactly: They don't get reinserted into the tun device after being received via the encrypted stream. A strace of two ICMPv4 packets coming in (FD 3 is the encrypted socket): read(3, "Mp-\v[\t\300"..., 16384) = 124 select(14, [3 5 8], [], NULL, NULL) = 1 (in [3]) read(3, "jm\17t\222"..., 16384) = 124 select(14, [3 5 8], [], NULL, NULL) = 1 (in [3]) I haven't found the exact culprit on why OpenSSH doesn't send the packet back into the tun device, but after countless hours of debugging and doing a bisect against the kernel, I found that the commit which causes the regression is torvalds/linux@cc9da6c. The bug has already been reported upstream at: https://bugzilla.kernel.org/show_bug.cgi?id=121131 While the final fix for this issue is still not clear on the kernel front, we can do our own part to mitigate this: We don't use IPv6 for SSH tunnels anyway, so we can safely disable IPv6 address autogeneration for them. I've switched to iproute instead of nettools because it allows for more fine-grained control (setting addrgenmode with ifconfing is not possible AFAIK). Also, I've linked the commands via && instead of using semicolons to ensure that we get a unit failure if one of the commands along the chain should fail. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
@aszlig I fail to see the correlation between ipv6 adress generation and |
|
@domenkozar: See the commit message for a detailed explanation. The tunnel device gets an IPv4 address assigned and also implicitly an IPv6 address since kernel 4.5, which causes a mismatch in the packet length for the user space process (in this case OpenSSH). |
aszlig
added a commit
to openlab-aux/vuizvui
that referenced
this pull request
Oct 27, 2016
This includes a small patch coming from NixOS/nixops#508 for fixing peer-to-peer tunneling for kernel versions >= 4.5. In addition, I'm patching out the Python sqlite3 module as this also doesn't exist anymore since NixOS/nixpkgs@bee4392. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
@edolstra Could you look at this PR? |
aszlig
added a commit
to openlab-aux/vuizvui
that referenced
this pull request
Apr 19, 2017
We can now safely drop the patch for NixOS/nixops#508, because it has long been applied to master and also partially reverted as well in NixOS/nixops@4bbceb2. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This should fix
encryptedLinksTofor kernels with version 4.5 and later. I've tested this in production but currently I can't testtests.functional.test_encrypted_links, because I don't have (nor use) VirtualBox anymore.So to anybody who's running VirtualBox, can you please run the following command in the checked out source tree of this branch and report success/failure back here?
Thanks a lot. Reviews are also welcome of course :-)
Cc: @rbvermaa