Modify

Opened 5 years ago

Closed 5 years ago

#13172 closed defect (no_response)

fw3 ipv6 problems, r36009

Reported by: anonymous Owned by: developers
Priority: normal Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: Cc:

Description

ipv6 no longer comes up, seeing things such as this;

Mar 14 19:39:06 dexter daemon.warn 6relayd[940]: Failed to relay to ff02::1%br-lan (Operation not permitted)
Mar 14 19:39:18 dexter daemon.err miniupnpd[1806]: sendto(udp_notify=8, [fdaf::1]): Operation not permitted
Mar 14 19:39:18 dexter daemon.err miniupnpd[1806]: sendto(udp_notify=8, [fdaf::1]): Operation not permitted
Mar 14 19:39:18 dexter daemon.err miniupnpd[1806]: sendto(udp_notify=8, [fdaf::1]): Operation not permitted
Mar 14 19:39:18 dexter daemon.err miniupnpd[1806]: sendto(udp_notify=8, [fdaf::1]): Operation not permitted
Mar 14 19:39:18 dexter daemon.err miniupnpd[1806]: sendto(udp_notify=8, [fdaf::1]): Operation not permitted
Mar 14 19:39:18 dexter daemon.err miniupnpd[1806]: sendto(udp_notify=8, [fdaf::1]): Operation not permitted
Mar 14 19:39:18 dexter daemon.err miniupnpd[1806]: sendto(udp_notify=8, [fdaf::1]): Operation not permitted
Mar 14 19:39:18 dexter daemon.err miniupnpd[1806]: sendto(udp_notify=8, [fdaf::1]): Operation not permitted
Mar 14 19:39:48 dexter daemon.err miniupnpd[1806]: sendto(udp_notify=8, [fdaf::1]): Operation not permitted

ipv6 was working fine with my previous build, some 10-20 revisions ago.

Attachments (1)

firewall (2.5 KB) - added by anonymous 5 years ago.
firewall

Download all attachments as: .zip

Change History (11)

comment:1 Changed 5 years ago by jow

Attach /etc/config/firewall and the output of ip6tables-save as well as "fw3 -6 print"

Changed 5 years ago by anonymous

firewall

comment:2 Changed 5 years ago by anonymous

no configuration files were touched in the upgrade. below is the output;

root@dexter:~# ip6tables-save
# Generated by ip6tables-save v1.4.18 on Thu Mar 14 20:20:06 2013
*raw
:PREROUTING ACCEPT [1482:338947]
:OUTPUT ACCEPT [811:380754]
COMMIT
# Completed on Thu Mar 14 20:20:06 2013
# Generated by ip6tables-save v1.4.18 on Thu Mar 14 20:20:06 2013
*mangle
:PREROUTING ACCEPT [1482:338947]
:INPUT ACCEPT [148:12590]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [811:380754]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Mar 14 20:20:06 2013
# Generated by ip6tables-save v1.4.18 on Thu Mar 14 20:20:06 2013
*filter
:INPUT DROP [148:12590]
:FORWARD DROP [0:0]
:OUTPUT DROP [811:380754]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
COMMIT
# Completed on Thu Mar 14 20:20:06 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:delegate_forward - [0:0]
:reject - [0:0]
:input_rule - [0:0]
:output_rule - [0:0]
:forwarding_rule - [0:0]
:syn_flood - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
:input_lan_rule - [0:0]
:output_lan_rule - [0:0]
:forwarding_lan_rule - [0:0]
-A zone_lan_input -m comment --comment "user chain for lan input" -j input_lan_rule
-A zone_lan_output -m comment --comment "user chain for lan output" -j output_lan_rule
-A zone_lan_forward -m comment --comment "user chain for lan forwarding" -j forwarding_lan_rule
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_src_DROP - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_dest_DROP - [0:0]
:input_wan_rule - [0:0]
:output_wan_rule - [0:0]
:forwarding_wan_rule - [0:0]
-A zone_wan_input -m comment --comment "user chain for wan input" -j input_wan_rule
-A zone_wan_output -m comment --comment "user chain for wan output" -j output_wan_rule
-A zone_wan_forward -m comment --comment "user chain for wan forwarding" -j forwarding_wan_rule
-A INPUT -j delegate_input
-A OUTPUT -j delegate_output
-A FORWARD -j delegate_forward
-A delegate_input -i lo -j ACCEPT
-A delegate_output -o lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A syn_flood -p tcp --syn -m limit --limit 25/second --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A delegate_input -p tcp --syn -j syn_flood
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with port-unreach
-A zone_wan_input -p 17 -s fe80::/10 -d fe80::/10 --sport 547 --dport 546 -m comment --comment "Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -p 58 --icmpv6-type 128 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p 58 --icmpv6-type 129 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p 58 --icmpv6-type 1 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p 58 --icmpv6-type 2 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p 58 --icmpv6-type 3 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p 58 --icmpv6-type 4/0 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p 58 --icmpv6-type 4/1 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p 58 --icmpv6-type 133 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p 58 --icmpv6-type 135 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p 58 --icmpv6-type 134 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p 58 --icmpv6-type 136 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_forward -p 58 --icmpv6-type 128 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p 58 --icmpv6-type 129 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p 58 --icmpv6-type 1 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p 58 --icmpv6-type 2 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p 58 --icmpv6-type 3 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p 58 --icmpv6-type 4/0 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p 58 --icmpv6-type 4/1 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
-A delegate_forward -p all -s fc00::/7 -m comment --comment "Enforce-ULA-Border-Src" -j zone_wan_dest_REJECT
-A delegate_forward -p all -d fc00::/7 -m comment --comment "Enforce-ULA-Border-Dest" -j zone_wan_dest_REJECT
-A zone_lan_forward -m comment --comment "forwarding lan->wan" -j zone_wan_dest_ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_forward -j zone_lan_dest_REJECT
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_dest_REJECT -o br-lan -j reject
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_output -o br-lan -j zone_lan_output
-A zone_wan_input -j zone_wan_src_DROP
-A zone_wan_forward -j zone_wan_dest_DROP
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -j reject
-A zone_wan_src_DROP -i pppoe-wan -j DROP
-A zone_wan_dest_DROP -o pppoe-wan -j DROP
-A delegate_input -i pppoe-wan -j zone_wan_input
-A delegate_forward -i pppoe-wan -j zone_wan_forward
-A delegate_output -o pppoe-wan -j zone_wan_output
-A zone_wan_dest_ACCEPT -o pppoe-wan -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -j reject
-A zone_wan_src_DROP -i pppoe-wan -j DROP
-A zone_wan_dest_DROP -o pppoe-wan -j DROP
-A delegate_input -i pppoe-wan -j zone_wan_input
-A delegate_forward -i pppoe-wan -j zone_wan_forward
-A delegate_output -o pppoe-wan -j zone_wan_output
-A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -j reject
-A zone_wan_src_DROP -i eth0.2 -j DROP
-A zone_wan_dest_DROP -o eth0.2 -j DROP
-A delegate_input -i eth0.2 -j zone_wan_input
-A delegate_forward -i eth0.2 -j zone_wan_forward
-A delegate_output -o eth0.2 -j zone_wan_output
COMMIT
*mangle
:mssfix - [0:0]
-A FORWARD -j mssfix
-A mssfix -o pppoe-wan -p tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A mssfix -o pppoe-wan -p tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A mssfix -o eth0.2 -p tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
*raw
:notrack - [0:0]
-A PREROUTING -j notrack
COMMIT

comment:3 Changed 5 years ago by jow

Whats shown by "fw3 -6 print | ip6tables-restore" ?

comment:4 Changed 5 years ago by anonymous

Not sure that pipe works as expected

root@dexter:~# fw3 -6 print | ip6tables-restore
Warning: Unable to locate ipset utility, disabling ipset support
root@dexter:~#

comment:5 Changed 5 years ago by anonymous

During the night it seems my ISP reset my pppoe session, and about 1 hour after reconnecting the session, IPv6 came up by itself. I wouldn't really know how to explain this.

Type: pppoe
Address: a.b.c.d
Netmask: 255.255.255.255
Gateway: a.b.c.d
DNS 1: a.b.c.d
DNS 2: a.b.c.d
Connected: 12h 22m 56s
Address: 2a02:xxx:xxx:x:88b2:c1xx:xx16:xxac/64
Gateway: FE80:0:0:0:xxx:xxFF:FExx:xxxx
DNS 1: 2a02:x:x::200
DNS 2: 2a02:x:x::100
Connected: 11h 20m 39s

comment:6 Changed 5 years ago by anonymous

Additionally to previous post, there are no more "Operation not permitted" spam in the logs.

comment:7 Changed 5 years ago by anonymous

After a manual reboot this morning, IPv6 comes up on boot.
It seems only on the first boot after flashing the problems occured. So the issue might be something else.

Sorry if I've wasted your time.

comment:8 Changed 5 years ago by anonymous

The reference the machine is ar71xx/TP-Link TL-WDR4300.

comment:9 Changed 5 years ago by nbd

please try the latest version

comment:10 Changed 5 years ago by nbd

  • Resolution set to no_response
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.