Bug #7145
closedrc.newwanipv6 running in all cases, even for a renew
0%
Description
dhcp6c calls its script for every action, a new binding or a renew and so on. The problem is that rc.newwanipv6 is run even when nothing changed. For example, the address didn't get removed or changed, it just renews the lease and keeps on going. In this case, the interface wasn't altered at all and the actions it takes can be quite harsh/disruptive.
We may not be able to do anything about this yet since dhcp6c does not pass back the type of action it performed. It always sets REASON=NBI in the environment so the script can't tell what exactly happened. rc.newwanipv6 does check the old address vs the new, but it still does things like reset the routing and resets the monitor IP address routing.
It also appears to be triggered twice for each event. I added a "source" parameter to the dhcp6c_wan_script.sh:
Jan 19 10:22:04 clara php-fpm[298]: /rc.newwanipv6: rc.newwanipv6: Info: starting on vmx0, called by dhcp6c. Jan 19 10:22:04 clara php-fpm[298]: /rc.newwanipv6: rc.newwanipv6: on (IP address: 2001:db8::ffff:f236) (interface: wan) (real interface: vmx0). Jan 19 10:22:07 clara php-fpm[298]: /rc.newwanipv6: ROUTING: setting default route to 198.51.100.1 Jan 19 10:22:07 clara php-fpm[298]: /rc.newwanipv6: ROUTING: setting IPv6 default route to fe80::290:bff:fe37:a324%vmx0 Jan 19 10:22:07 clara php-fpm[298]: /rc.newwanipv6: Removing static route for monitor fe80::290:bff:fe37:a324 and adding a new route through fe80::290:bff:fe37:a324%vmx0 Jan 19 10:22:07 clara check_reload_status: Reloading filter Jan 19 10:22:07 clara php-fpm[299]: /rc.newwanipv6: rc.newwanipv6: Info: starting on vmx0, called by dhcp6c. Jan 19 10:22:07 clara php-fpm[299]: /rc.newwanipv6: rc.newwanipv6: on (IP address: 2001:db8::ffff:f236) (interface: wan) (real interface: vmx0). Jan 19 10:22:10 clara php-fpm[299]: /rc.newwanipv6: ROUTING: setting default route to 198.51.100.1 Jan 19 10:22:10 clara php-fpm[299]: /rc.newwanipv6: ROUTING: setting IPv6 default route to fe80::290:bff:fe37:a324%vmx0 Jan 19 10:22:10 clara php-fpm[299]: /rc.newwanipv6: Removing static route for monitor fe80::290:bff:fe37:a324 and adding a new route through fe80::290:bff:fe37:a324%vmx0 Jan 19 10:22:10 clara check_reload_status: Reloading filter
Feel free to kick this forward to 2.4.1 if there is no immediately viable solution
Files
Updated by Martin Wasley almost 8 years ago
I can have a look at dhcp6c, easy enough to add something. What do you want it do do, set an env stating what triggered the script?
Updated by Jim Pingle almost 8 years ago
It would probably be good enough if dhcp6c properly populated REASON with what actually happened. If it's a simple renew, then the script can detect that and do nothing. If it's a new binding or something else then it can take appropriate actions. The IPv4 equivalent gets to make a lot of decisions based on the REASON passed in from the client environment: https://github.com/pfsense/pfsense/blob/master/src/usr/local/sbin/pfSense-dhclient-script#L304
Updated by Martin Wasley almost 8 years ago
Try this...
These are pulled from the reply state, and are what is displayed in dhcp6c logs, well mine at least. The last dhcp6c patch never made it through. See if it does what you need.
REASON=INF Info
REASON=REP reply
REASON=REN Renew
REASON=REB Rebind
REASON=OFR Offer
REASON=REL Release
REASON=NBI Unkownm
Reply should be a response to a request and I think info is the response to a renew. I have never seen rebind happen so who knows about that one. :)
Updated by Jim Pingle almost 8 years ago
Got a source patch for that? If I do manage to try it, I am not keen on running binaries from outside sources.
Updated by Martin Wasley almost 8 years ago
- File patch-dhcp6c__script.c patch-dhcp6c__script.c added
Yes, attached..
As dhcp6c only calls the script function when the above reply states happen you don't get quite as many possible responses as you do with its v4 counterpart. I've kept it simple by using the existing fixed length static char variable reason[] used for the original REASON=NBI, that can be changed easily enough if you want it to be a full word rather than just three letters.
Would it be useful to pass the obtained lease(s) as a parameter too?
The binary doesn't do anything untoward... promise. :)
Updated by Martin Wasley almost 8 years ago
- File patch-dhcp6c.c patch-dhcp6c.c added
Use this too, just makes the logging a little tidier. If this is implemented then the dhcp6withoutRA PR I have currently submitted can be binned as I can then take advantage of these changes.
I can get rid of all the ctrl logging junk as well, but obviously that will not be able to be pushed upstream.
Updated by Martin Wasley almost 8 years ago
This is cool... it works nicely. I'm still messing around with it but I've changed the strings to full reply words such as 'REPLY' 'RELEASE' etc and modified the dhcp6c script to use the response and it's good. It will need you to decide what you want to do with RELEASE etc if that comes in. I assume the script is called for REPLY or REBIND and skipped for INFO or RENEW?
My dhcp6c_wan_dhcp6withoutra_script.sh Not sure what to do with the RELEASE so just call the script I guess.
#!/bin/sh
#This shell script launches rtsold.
dmips=${new_domain_name_servers}
dmnames=${new_domain_name}
dreason=${REASON}
echo $dmips > /tmp/igb0_domain_name_servers
echo $dmnames > /tmp/igb0_new_domain_name
echo $dreason > /tmp/igb0_reason
case $REASON in
REPLY|REBIND)
/usr/sbin/rtsold -1 -p /var/run/rtsold_igb0.pid -O /var/etc/rtsold_igb0_script.sh igb0
;;
RELEASE)
/usr/local/sbin/fcgicli -f /etc/rc.newwanipv6 -d "interface=igb0&dmnames=${dmnames}&dmips=${dmips}"
;;
RENEW|INFO)
/usr/bin/logger -t Info "dhcp6c renew, no change - bypassing update on igb0"
esac
Updated by Martin Wasley almost 8 years ago
Also added an EXIT as when the No-release flag it's useful to know that dhcp has exited. Would it be be useful to have it so that if it's sent a release to signal only that, and not the EXIT signal too? Otherwise it will issue a RELEASE and an EXIT.
Updated by Martin Wasley almost 8 years ago
OK, before I do a PR upstream for this, there is one issue left. This only applied in the default mode not dhcp6withoutRA. When releasing, if the EXIT is used to trigger the script dhcp6c_wan_script.sh there is an issue as that file has been deleted before dhcp6c has exited. The dhcp6c_wan_dhcp6withoutra_script.sh is not deleted, I suspect because I have not cleaned up that file during release. If the exit parameter is used then that needs changing. Also on a WAN down event, dhcp6c sits there sending release signals for about 30 seconds but cannot as the interface has been taken down. The only way around this is a forced exit kill -9 and that means no EXIT script run.
- STOP PRESS ***
Added new signal to dhcp6c, SIGUSR1, sending this signal will cause dhcp6c to cleanly exit even if wan interface is down. Sets the no-release internally and then exits normally..
Updated by Martin Wasley over 7 years ago
- File patch-common.c patch-common.c added
- File patch-config.h patch-config.h added
- File patch-dhcp6c.c patch-dhcp6c.c added
- File patch-dhcp6c__script.c patch-dhcp6c__script.c added
Additions and changes to dhcp6c
Updated by Martin Wasley over 7 years ago
- File patch-common.c patch-common.c added
- File patch-config.h patch-config.h added
- File patch-dhcp6c.c patch-dhcp6c.c added
- File patch-dhcp6c__script.c patch-dhcp6c__script.c added
Final version. Changed static chars to pointers for exit script call. As it's possible to have multiple interfaces on dhcp6c with multiple scripts ( not used ) I have used the first interface configured ( script-path ) as the script to be called on exit, thus getting rid of an earlier version that used a static char array.
Sorry there are so many updates but as soon as I've posted one lot I get another idea which is better. This should be it though.
Updated by Martin Wasley over 7 years ago
PR Pushed upstream as fix needed for dhcp6c PID issue - Redmine #7185.
Updated by Øyvind Hvidsten over 7 years ago
Having issues with this in 2.3.3
Every 30 minutes, my IPv6 address is refreshed, causing rc.newwanipv6 to fire on all cylinders, which in turn restarts unbound, which makes DNS lookups for internal addresses get relayed to external DNS servers for a split second, which then makes lookups for those addresses fail, as the external server has never heard of the internal names.
I've tested this by resolving an internal address (static DHCP assignment) with nslookup every 0.5 seconds, and at the exact time unbound restarts, I get:
Name: vault.mydomain.org
Address: 192.168.5.92
Wed Mar 15 19:20:26 UTC 2017
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: vault.mydomain.org
Address: 192.168.5.92
Wed Mar 15 19:20:26 UTC 2017
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: vault.mydomain.org
Address: 192.168.5.92
Wed Mar 15 19:20:27 UTC 2017
Server: 193.213.112.4
Address: 193.213.112.4#53
-- server can't find vault: NXDOMAIN
..and any cronjob or other thing attempting to resolve that address at that point in time will fail.
This loop was run on pfSense itself, so one can see all the previous replies coming from 127.0.0.1
Updated by Martin Wasley over 7 years ago
This is fixed in 2.4. DHCP6C client modified to give REASONS and only call the update script when needed.
Updated by Jim Pingle over 7 years ago
- Status changed from New to Feedback
- Affected Architecture All added
- Affected Architecture deleted (
)
Updated by Jim Pingle over 7 years ago
- Status changed from Feedback to Resolved
This seems to behave much better now. On a DHCPv6 VM, before these changes I had a never-ending stream of rc.newwanipv6 calls happening for any event even a simple renew, and now it only happens when it's supposed to.
Updated by Rodrigo Ferraz about 7 years ago
Are there any plans to have this fixed with a 2.3.* release?
I'm having the same problem (https://forum.pfsense.org/index.php?topic=136181.msg745462#msg745462) which is impacting user browsing on several of our customers who had purchased ALIX appliances.
Since 2.4 has dropped i386 and nanobsd support we and our customers who started rolling IPv6 in production are fundamentally doomed.
Updated by Jim Pingle about 7 years ago
Given the scope of the changes and what had to be done, it's unlikely to make it to 2.3.x.