On 13-12-24 08:46 AM, Stuart Henderson wrote:
Is there any chance you receive (and try to reply to) packets with
bogus source addresses (spoofed/non-reachable, or packets which should
have been natted but weren't)? I would also keep an eye on output of
'route -n monitor' and look for instability there (e.g. RTM_MISS
messages).
There should be absolutely nothing happening routing-wise on my
nameservers. They each have a single interface (one has em0, one has
vio0), and a common carp0 on top of that. They have one default IPv4
route and one default IPv6 route.
I do see the occasional RTM_ADD relating to (I think) ARP and/or NDP
activity, but that's it so far... I'll leave it running.
It's certainly possible my routers could pass on spoofed packets; the
nameservers sit directly behind my border routers. (URPF isn't really
an option for BGP routers with multiple sessions...)
There's one NAT'd private address space in use, but the routers have
static routes for it to bypass the NAT function, and in any event that
wouldn't generate an EHOSTUNREACH.
Oh, for !@#$!@#%!%!!!!. I just found the problem.
My IPv6 default route was missing. Looks like I added it manually, but
forgot to add it to /etc/mygate. Of course, I then rebooted at some
point in the last few weeks...
My original complaint stands: If the error message had contained the
failing destination address, I would have noticed my error almost
immediately. (Since presumably all the failures were for
globally-routeable IPv6 addresses.)
Sorry for all the noise :-(
--
-Adam Thompson
[email protected]
