Modify

Opened 5 years ago

Closed 5 years ago

#13141 closed defect (fixed)

firewall3: ipv6 connectivity broken with "add support for per-zone user chains"

Reported by: hnyman <hannu.nyman@…> Owned by: jow
Priority: normal Milestone: Chaos Calmer 15.05
Component: base system Version: Trunk
Keywords: firewall firewall3 Cc: hannu.nyman@…

Description

I built new r35903, but I seem to have lost ipv6 connectivity from the LAN clients. Router get ipv6 address and the sixxs 6in4 tunnel seems to work, but my PC does not form ipv6 connections and no route is found. I had normal connectivity with 35899, so it is something new :-(

After reverting back to 35899 with the same config, ipv6 connectivity came back.

Possibly a firewall problem, as all traffic from LAN ends up in "reject".
4 pings from PC to ipv6.google.com:

Chain delegate_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DROP       all      any    any     anywhere             anywhere             ctstate INVALID
    4   320 zone_lan_forward  all      br-lan any     anywhere             anywhere
    0     0 zone_wan_forward  all      eth1   any     anywhere             anywhere
    6   312 zone_wan_forward  all      6in4-sixxs any     anywhere             anywhere
    4   320 reject     all      any    any     anywhere             anywhere

...

Chain zone_lan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all      any    br-lan  anywhere             anywhere

...

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    4   320 zone_lan_dest_REJECT  all      any    any     anywhere             anywhere

...

Chain reject (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp      any    any     anywhere             anywhere             reject-with tcp-reset
    4   320 REJECT     all      any    any     anywhere             anywhere             reject-with icmp6-port-unreachable
C:\Users\xxx>ping -6 ipv6.google.com

Pinging ipv6.l.google.com [2a00:1450:4010:c03::63] with 32 bytes of data:
Destination port unreachable.
Destination port unreachable.
Destination port unreachable.
Destination port unreachable.

Ping statistics for 2a00:1450:4010:c03::63:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

In order to debug things, I tested building r35903 without the last check-in in firewall3. And ipv6 works again...

http://nbd.name/gitweb.cgi?p=firewall3.git;a=shortlog
Building from 865ddfd7df6a49f9346207cc105fc4f57da529c7 keeps things working, but building from b2b2e69b19a20a46f3db6d717a899248fa24628c ("add support for per-zone user chains") breaks things.

Attachments (5)

35903broken_ip6tables.txt (9.5 KB) - added by hnyman <hannu.nyman@…> 5 years ago.
35903works_ip6tables.txt (10.2 KB) - added by hnyman <hannu.nyman@…> 5 years ago.
fw3_6_print_works.txt (5.8 KB) - added by hnyman <hannu.nyman@…> 5 years ago.
fw3_6_print_broken.txt (6.4 KB) - added by hnyman <hannu.nyman@…> 5 years ago.
ip6tables-restore.txt (1.1 KB) - added by hnyman <hannu.nyman@…> 5 years ago.

Download all attachments as: .zip

Change History (14)

Changed 5 years ago by hnyman <hannu.nyman@…>

Changed 5 years ago by hnyman <hannu.nyman@…>

comment:1 Changed 5 years ago by hnyman <hannu.nyman@…>

I compared working and broken firmware's "ip6tables -L -v" output (uploaded to the ticket). The working version, built out of 865ddfd7df6a49f9346207cc105fc4f57da529c7, has six rules that are missing from the broken version.

The rules missing from the broken firmware are:

delegate_forward: forwarding_rule, zone_wan_dest_REJECT, zone_wan_dest_REJECT
delegate_input: input_rule
delegate_output: output_rule
zone_lan_forward: zone_wan_dest

comment:2 Changed 5 years ago by jow

That does not look related to the firewall changes. To me it looks like the ip6tables comment match is broken or not installed.

comment:3 Changed 5 years ago by jow

Attach the output of "fw3 -6 print" too, please. You can also try to pipe it to ip6tables-restore while you're at it - see if it complains.

Changed 5 years ago by hnyman <hannu.nyman@…>

Changed 5 years ago by hnyman <hannu.nyman@…>

Changed 5 years ago by hnyman <hannu.nyman@…>

comment:4 Changed 5 years ago by hnyman <hannu.nyman@…>

Flashed back to the broken version :-(
and tested those commands...

6 extra lines are in the broken one:
-A zone_lan_input -j input_lan_rule -m comment --comment "user chain for lan input"
-A zone_lan_output -j output_lan_rule -m comment --comment "user chain for lan output"
-A zone_lan_forward -j forwarding_lan_rule -m comment --comment "user chain for lan
-A zone_wan_input -j input_wan_rule -m comment --comment "user chain for wan input"
-A zone_wan_output -j output_wan_rule -m comment --comment "user chain for wan output"
-A zone_wan_forward -j forwarding_wan_rule -m comment --comment "user chain for wan forwarding"

and these 3 lines have comments, which probably breaks things:
-A delegate_input -j input_rule -m comment --comment "user chain for input"
-A delegate_output -j output_rule -m comment --comment "user chain for output"
-A delegate_forward -j forwarding_rule -m comment --comment "user chain for forwarding"

working version has those lines simply as:
-A delegate_input -j input_rule
-A delegate_output -j output_rule
-A delegate_forward -j forwarding_rule

comment:5 Changed 5 years ago by jow

  • Owner changed from developers to jow
  • Status changed from new to accepted

Reverted it for now, will look into it tomorrow or the day after.

comment:6 Changed 5 years ago by hnyman <hannu.nyman@…>

I noticed that there are comments also on the working version, but the jump target is placed after the comment in the ip6tables command.

-A zone_lan_forward -m comment --comment "forwarding lan->wan" -j zone_wan_dest_ACCEPT

On the failing/broken version, -j is before the comment on those 9 differing/failing lines:

-A zone_lan_input -j input_lan_rule -m comment --comment "user chain for lan input"

So this might just be a ip6tables command formatting error in that now reverted change. Changing the order of items might fix things.

comment:7 Changed 5 years ago by jow

Please try r35969

comment:8 Changed 5 years ago by hnyman <hannu.nyman@…>

Seems to work ok.

comment:9 Changed 5 years ago by jow

  • Resolution set to fixed
  • Status changed from accepted to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.