Discussion:
jail sshd ipv6 error
(too old to reply)
Ørjan Tønder
2017-04-26 06:32:31 UTC
Permalink
Raw Message
Apr 26 08:12:04 irssi sshd[41415]: error: Bind to port 22 on
2001:dead:beef:0:dacb:8aff:feea:9 failed: Can't assign requested address.
Apr 26 08:12:04 irssi sshd[41415]: fatal: Cannot bind any address.

this is solved by

net.inet6.ip6.dad_count: 1 -> 0

what am i actually disabling here?

And why are sshd inside jails not able too bind address dad_count is
enabled?
--
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFUByQgBCAChgKlX3wlCovKXZG//oGdpVCFxiC8X6kSWC2pvdfcxgII/corC
o2ndED6Zp9AEzBjT46ilzbwJkxPWB+Qq4oucj5zLSUrWb0pIszCWksFhOKEqJ87D
lR0UXBpR5a9+SYqydVgRsyZmHGDAyWnneKvcp6MlYcsqYogC9xYJjK2K0r91f9pn
vsQmiLJcNMPVWxQ+w7pEQFtntoHcKbZ0LaEG/hhEN2fOA8SNa3FYQ2bexLVtgFhR
q+5VYyO89XWHH20ovoltRUOR7XvXNAY4GT6jMwi7QJ9FTTPFy7v1uGrBJbuDZ2fM
gegRMbykNBtadztATpGAw9+be4879Cfzt6d7ABEBAAG0N8OYcmphbiBUw7huZGVy
IChyZWFsIG5hbWUga2V5KSA8b3JqYW4udG9uZGVyQGdtYWlsLmNvbT6JATgEEwEC
ACIFAlUByQgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJVR+IZRCu10
wuMH/2INhf+aLPTdH0xD9DLNQJXlxofhkKZtWxBLeHCcl0lHFjHDC65OQ/pyuqQZ
KyevSdRo21uXv72YcAPLuCqxsuIOvpNoUpS36Cat8K8wK0zLS3XQlZI/wvP6qWse
W/OYGM2VGuG7Sn5Mjx8BcSiUiAItfNTy+Ao1LIldywOtjHIaKDK5y+Ml4PWkSk1q
H77XoIS/6QKDmAQzpOYoNgnR4R4pucHVrriCWW5A3vWktK4prcO8SI3Ci88JmL5v
imDITMOFwlNBQD4j7e3T/qwBZ5DGsnQ4s4fe8Xd1sFx4UYRompH485RrUAWLJ+wS
65hEUQ9jx9w/68iDSr5PXI6Peaw=
=1oDp
-----END PGP PUBLIC KEY BLOCK-----
James Gritton
2017-04-26 15:11:27 UTC
Permalink
Raw Message
Post by Ørjan Tønder
Apr 26 08:12:04 irssi sshd[41415]: error: Bind to port 22 on
2001:dead:beef:0:dacb:8aff:feea:9 failed: Can't assign requested address.
Apr 26 08:12:04 irssi sshd[41415]: fatal: Cannot bind any address.
this is solved by
net.inet6.ip6.dad_count: 1 -> 0
what am i actually disabling here?
And why are sshd inside jails not able too bind address dad_count is
enabled?
There's some kind of clash between IPv6 neighbor discovery and jails,
which is so far only worked around and not fixed. I'm not sure of the
mechanics of it since I'm IPv6-less myself, but setting dad_count to
zero makes sense as it would let an address be immediately configured
without waiting for some kind of external confirmation. It seems this
is really geared toward dynamic addresses, which jails seldom have (if
they do, they're likely using vnet).

In particular, what you're disabling is the sending out of a neighbor
solicitation message that makes sure no one else is using the address
you're setting. So if you know your configuration is correct there
should be no worries.

- Jamie

Loading...