Modify

Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#10265 closed defect (fixed)

Updated from trunk 28519 to 28530, now getting ip6tables errors from firewall.

Reported by: andrewsi@… Owned by: developers
Priority: high Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: firewall ipv6 Cc:

Description

So I did an in-place sysupgrade between these builds, and my system log is now full of:

ip6tables v1.4.10: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

/etc/config/firewall contents, which did not change between builds: (IPv6 address redacted for privacy):

config 'rule'
        option 'src' 'wan'
        option 'proto' '41'
        option 'target' 'ACCEPT'
        option 'family' 'ipv4'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '68'
        option 'target' 'ACCEPT'
        option 'family' 'ipv4'

config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option '_name' 'SSH (random port)'
        option 'dest_port' '10010'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'icmp'
        option 'icmp_type' 'echo-request'
        option 'target' 'ACCEPT'
        option 'family' 'ipv4'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'HTTP'
        option 'src' 'wan'
        option 'dest' 'lan'
        option 'proto' 'tcp'
        option 'dest_ip' '2001:470:xxx:xxx::xxx'
        option 'dest_port' '80'
        option 'family' 'ipv6'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'HTTPS'
        option 'src' 'wan'
        option 'dest' 'lan'
        option 'proto' 'tcp'
        option 'dest_ip' '2001:470:xxx:xxx::xxx'
        option 'dest_port' '443'
        option 'family' 'ipv6'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'RDP'
        option 'src' 'wan'
        option 'dest' 'lan'
        option 'proto' 'tcp'
        option 'dest_ip' '2001:470:xxx:xxx::xxx'
        option 'dest_port' '3389'
        option 'family' 'ipv6'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'PPTP'
        option 'src' 'wan'
        option 'dest' 'lan'
        option 'proto' 'tcp'
        option 'dest_ip' '2001:470:xxx:xxx::xxx'
        option 'dest_port' '1723'
        option 'family' 'ipv6'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'PPTP-GRE'
        option 'src' 'wan'
        option 'dest' 'lan'
        option 'proto' '47'
        option 'dest_ip' '2001:470:xxx:xxx::xxx'
        option 'family' 'ipv6'

config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'wan'
        option 'dest' 'lan'
        option 'proto' 'icmp'
        option 'icmp_type' 'echo-request'
        option 'family' 'ipv6'
        option '_name' 'Ping front door'
        option 'dest_ip' '2001:470:xxx:xxx::xxx'

config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'drop_invalid' '1'

config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'network' 'lan'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'
        option 'mtu_fix' '1'
        option 'network' 'HENET wan'

config 'redirect'
        option '_name' 'HTTP'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_dport' '80'
        option 'dest_ip' '192.168.1.101'
        option 'target' 'DNAT'
        option 'dest' 'lan'

config 'redirect'
        option '_name' 'HTTPS'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_dport' '443'
        option 'dest_ip' '192.168.1.101'
        option 'target' 'DNAT'
        option 'dest' 'lan'

config 'redirect'
        option '_name' 'RDP'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_dport' '3389'
        option 'dest_ip' '192.168.1.101'
        option 'target' 'DNAT'
        option 'dest' 'lan'

config 'redirect'
        option '_name' 'PPTP'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_dport' '1723'
        option 'dest_ip' '192.168.1.101'
        option 'target' 'DNAT'
        option 'dest' 'lan'

config 'redirect'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_dport' '1723'
        option 'dest_ip' '192.168.1.101'
        option 'target' 'DNAT'
        option 'dest' 'lan'

config 'redirect'
        option '_name' 'PPTP-GRE'
        option 'src' 'wan'
        option 'proto' '47'
        option 'dest_ip' '192.168.1.101'
        option 'target' 'DNAT'
        option 'dest' 'lan'

config 'rule'
        option 'src' 'wan'
        option 'dest' '*'
        option 'proto' 'icmp'
        list 'icmp_type' 'echo-request'
        list 'icmp_type' 'destination-unreachable'
        list 'icmp_type' 'packet-too-big'
        list 'icmp_type' 'time-exceeded'
        list 'icmp_type' 'bad-header'
        list 'icmp_type' 'unknown-header-type'
        list 'icmp_type' 'router-solicitation'
        list 'icmp_type' 'neighbour-solicitation'
        option 'limit' '1000/sec'
        option 'family' 'ipv6'
        option 'target' 'ACCEPT'

config 'include'
        option 'path' '/etc/firewall.user'

config 'forwarding'
        option 'dest' 'wan'
        option 'src' 'lan'

config 'redirect'
        option '_name' 'Xbox'
        option 'src' 'wan'
        option 'proto' 'tcpudp'
        option 'src_dport' '3074'
        option 'dest_ip' '192.168.1.6'
        option 'target' 'DNAT'
        option 'dest' 'lan'

Attachments (0)

Change History (3)

comment:1 Changed 6 years ago by andrewsi@…

I should mention this is a WNDR3700v1, ar71xx build.

comment:2 Changed 6 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

The error is uncritical. ip6tables -t nat requests are now filtered, fix added in r28535 and r28536

comment:3 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.