I have this strange problem where ICMP6 router advertisement responses are not making out to their requester.
My OUTPUT chain looks like:
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
49623 4936K accounting all * * ::/0 ::/0
7941 600K eth0.2_out all * eth0.2 ::/0 ::/0
0 0 6in4-henet_out all * 6in4-henet ::/0
::/0
0 0 pppoe-wan1_out all * pppoe-wan1 ::/0
::/0
19868 2133K fw2loc all * br-lan ::/0 ::/0
191 21504 ACCEPT all * lo ::/0 ::/0
21623 2182K Reject all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:"
0 0 reject all * * ::/0 ::/0
[goto]
With my Reject chain looking like:
Chain Reject (6 references)
pkts bytes target prot opt in out source destination
58899 5046K all * * ::/0 ::/0
58215 4980K AllowICMPs icmpv6 * * ::/0 ::/0
684 65424 Broadcast all * * ::/0 ::/0
684 65424 Multicast all * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
ctstate INVALID
0 0 reject udp * * ::/0 ::/0
[goto] multiport dports 135,445 /* SMB */
0 0 reject udp * * ::/0 ::/0
[goto] udp dpts:137:139 /* SMB */
0 0 reject udp * * ::/0 ::/0
[goto] udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp * * ::/0 ::/0
[goto] multiport dports 135,139,445 /* SMB */
0 0 DROP udp * * ::/0 ::/0
udp dpt:1900 /* UPnP */
0 0 DROP tcp * * ::/0 ::/0
tcp flags:!0x17/0x02
0 0 DROP udp * * ::/0 ::/0
udp spt:53 /* Late DNS Replies */
and AllowICMPs allowing the RA response:
Chain AllowICMPs (2 references)
pkts bytes target prot opt in out source destination
9774 1333K ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 1 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 2 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 3 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 4 /* Needed ICMP types (RFC4890) */
885 49560 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 133 /* Needed ICMP types (RFC4890) */
3189 489K ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 134 /* Needed ICMP types (RFC4890) */
32541 2343K ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 135 /* Needed ICMP types (RFC4890) */
13662 890K ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 136 /* Needed ICMP types (RFC4890) */
87 16272 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 137 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 141 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 142 /* Needed ICMP types (RFC4890) */
214 15408 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmptype 130 /* Needed ICMP types (RFC4890) */
20521 1478K ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmptype 131 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmptype 132 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmptype 143 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 148 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 149 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmptype 151 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmptype 152 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmptype 153 /* Needed ICMP types (RFC4890) */
So I have the rules that should be allowing RA requests to be received
and responses to be sent and as you can see, I log everything that is
not accepted and there are no logged packets for these RA responses.
I can confirm that the RA responses are following that path by sending
an RA request using rdisc6 and noticing the pkts count on the RA
response rule increment. Before rdisc6:
3211 493K ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 134 /* Needed ICMP types (RFC4890) */
After:
3216 494K ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 134 /* Needed ICMP types (RFC4890) */
According to tcpdump on the router, the RA response never makes it to
the interface though:
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
19:04:10.395101 IP6 fe80::a2d4:ede6:5587:6a7a > ff02::2: ICMP6, router
solicitation, length 8
19:04:14.399220 IP6 fe80::a2d4:ede6:5587:6a7a > ff02::2: ICMP6, router
solicitation, length 8
19:04:18.403339 IP6 fe80::a2d4:ede6:5587:6a7a > ff02::2: ICMP6, router
solicitation, length 8
But as soon as I stop shorewall6-lite, it all works as expected:
19:05:34.149961 IP6 fe80::a2d4:ede6:5587:6a7a > ff02::2: ICMP6, router
solicitation, length 8
19:05:34.159277 IP6 fe80::6eb0:ceff:fef5:1e4a > fe80::a2d4:ede6:5587:6a7a:
ICMP6, router advertisement, length 264
With shorewall6-lite started, I can ICMP ping that router's address:
$ ping6 fe80::6eb0:ceff:fef5:1e4a%pc_bridge
PING fe80::6eb0:ceff:fef5:1e4a%pc_bridge(fe80::6eb0:ceff:fef5:1e4a%pc_bridge)
56 data bytes
64 bytes from fe80::6eb0:ceff:fef5:1e4a%pc_bridge: icmp_seq=1 ttl=64 time=0.330
ms
64 bytes from fe80::6eb0:ceff:fef5:1e4a%pc_bridge: icmp_seq=2 ttl=64 time=0.387
ms
^C
from the same host I am doing RA requests from so there doesn't seem to
be any general routing problem that I can think of.
I can't for the life of me figure out where things are going wrong.
What other than the above ip6tables could have an effect on whether
these ICMP6 packets get sent back out br-lan when shorewall6-lite is
running?
Cheers,
b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
