Modify

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#13649 closed defect (fixed)

firewall3: ICMPv6 types are no longer recognized

Reported by: anonymous Owned by: developers
Priority: response-needed Milestone: Attitude Adjustment 12.09.1
Component: packages Version: Attitude Adjustment 12.09
Keywords: firewall3 ip6tables iptables ipv6 icmpv6 Cc:

Description

The firewall3 package doesn't seem to support specific ICMPv6 type options that worked in the old firewall. Is this a bug on the new package or is there a new uci syntax? I didn't see any details in the wiki.

Here's the default icmpv6 uci that worked with the old firewall

config rule
        option name 'ICMPv6 input'
        option src 'wan6'
        option proto 'icmp'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '10/sec'
        option family 'ipv6'
        option target 'ACCEPT'

Debugging output of fw3 restart with the parse error:

   * Rule 'ICMPv6 input'
parse_option(): unknown option '--icmpv6-type'
parse_option(): unknown option '--icmpv6-type'
parse_option(): unknown option '--icmpv6-type'
parse_option(): unknown option '--icmpv6-type'
parse_option(): unknown option '--icmpv6-type'
parse_option(): unknown option '--icmpv6-type'
parse_option(): unknown option '--icmpv6-type'
parse_option(): unknown option '--icmpv6-type'
parse_option(): unknown option '--icmpv6-type'

Actual iptables that was generated:

# ip6tables-save|grep zone_wan6_input|grep icmp
-A zone_wan6_input -p ipv6-icmp -m limit --limit 10/sec -m comment --comment "ICMPv6 input" -j ACCEPT 
-A zone_wan6_input -p ipv6-icmp -m limit --limit 10/sec -m comment --comment "ICMPv6 input" -j ACCEPT 
-A zone_wan6_input -p ipv6-icmp -m limit --limit 10/sec -m comment --comment "ICMPv6 input" -j ACCEPT 
-A zone_wan6_input -p ipv6-icmp -m limit --limit 10/sec -m comment --comment "ICMPv6 input" -j ACCEPT 
-A zone_wan6_input -p ipv6-icmp -m limit --limit 10/sec -m comment --comment "ICMPv6 input" -j ACCEPT 
-A zone_wan6_input -p ipv6-icmp -m limit --limit 10/sec -m comment --comment "ICMPv6 input" -j ACCEPT 
-A zone_wan6_input -p ipv6-icmp -m limit --limit 10/sec -m comment --comment "ICMPv6 input" -j ACCEPT 
-A zone_wan6_input -p ipv6-icmp -m limit --limit 10/sec -m comment --comment "ICMPv6 input" -j ACCEPT 
-A zone_wan6_input -p ipv6-icmp -m limit --limit 10/sec -m comment --comment "ICMPv6 input" -j ACCEPT 

Attachments (0)

Change History (7)

comment:1 Changed 5 years ago by jow

  • Priority changed from high to response-needed

This is a miscompilation, looks like your firewall3 (libext6.a from ip(6)tables actually) lacks support for ICMPv6 matches. Clean iptables, firewall, run defconfig and rebuild everything, report back the results.

comment:2 Changed 5 years ago by jow

Also ensure that ip6tables is enabled in the config and that CONFIG_IPV6 is set.

comment:3 Changed 5 years ago by anonymous

I've confirmed that with defconfig and ensured that all relevant ip6tables are compiled correctly. This is what I see after firewall3 has booted up with the above icmpv6 rules:

Chain zone_wan6_input (2 references)
 pkts bytes target     prot opt in     out     source               destination
    8   576 input_wan6_rule  all      *      *       ::/0                 ::/0                /* user chain for input */
    0     0 ACCEPT     udp      *      *       fe80::/10            fe80::/10           udp spt:547 dpt:546 /* DHCPv6 */
    8   576 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 zone_wan6_src_DROP  all      *      *       ::/0                 ::/0

I can confirm that the ip6tables command support icmpv6 type correctly because I can manually icmpv6-type rules without no errors:

# ip6tables -t filter -I zone_wan6_input 2 -p ipv6-icmp --icmpv6-type 2 -j ACCEPT

Output from ip6tables, with my new icmpv6-type 2 added manually on line 2:

Chain zone_wan6_input (2 references)
 pkts bytes target     prot opt in     out     source               destination
   18  1296 input_wan6_rule  all      *      *       ::/0                 ::/0                /* user chain for input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                ipv6-icmp type 2
    0     0 ACCEPT     udp      *      *       fe80::/10            fe80::/10           udp spt:547 dpt:546 /* DHCPv6 */
   18  1296 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                limit: avg 10/sec burst 5 /* ICMPv6 input */
    0     0 zone_wan6_src_DROP  all      *      *       ::/0                 ::/0

So I this is parsing error on the firewall3 module, not incomplete compilation. Let me know if I can troubleshoot further or if I can provide you more data.

comment:4 Changed 5 years ago by anonymous

FYI, I'm using build r36842 where firewall3 has been transferred into the default "firewall" package.

comment:5 Changed 5 years ago by anonymous

I think r35898 needs to be back ported to AA. I manually added Cyrus' changes there into AA, created a new build and firewall3 was able to parse and build rules with proper icmpv6-type.

Can you review and backport the changes if they are applicable? Sorry for bugging you with firewall3 issues these few days.

comment:6 Changed 5 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

Thank you for the hint, I was indeed able to reproduce it when building kmod-ip6tables and ip6tables as <M>. I backported the required change in r36853.

comment:7 Changed 5 years ago by anonymous

Thanks for responding quickly to this.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.