Modify

Opened 4 years ago

Closed 4 years ago

#14405 closed defect (fixed)

firewall reloading spam

Reported by: daniel.petre Owned by: developers
Priority: normal Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: firewall, wan6 Cc:

Description

Hello,
so using r38633 on a tp-link wdr3600 and seeing firewall "spam" in log:

root@wdr:~# logread -f
Fri Nov 1 12:04:07 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Fri Nov 1 12:05:07 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Fri Nov 1 12:06:07 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Fri Nov 1 12:07:07 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Fri Nov 1 12:08:07 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Fri Nov 1 12:09:07 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()

the only modified config is /etc/config/network:

config interface 'loopback'

option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'

option ula_prefix 'fd5f:9d59:d6cb::/48'

config interface 'lan'

option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'

option ifname 'eth0.2'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option proto 'pppoe'
option ipv6 '1'
option username 'USERNAME'
option password 'PASSWORD'

config interface 'wan6'

option ifname '@wan'
option proto 'dhcpv6'

config switch

option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan

option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'

config switch_vlan

option device 'switch0'
option vlan '2'
option ports '0t 1'

Attachments (0)

Change History (13)

comment:1 Changed 4 years ago by daniel.petre

root@wdr:~# ip a l dev pppoe-wan
15: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3

link/ppp
inet 79.118.227.124 peer 10.0.0.1/32 scope global pppoe-wan

valid_lft forever preferred_lft forever

inet6 2a02:2f0d:b08f:ffff::4f76:e37c/128 scope global

valid_lft forever preferred_lft forever

inet6 fe80::4f76:e37c/10 scope link

valid_lft forever preferred_lft forever

root@wdr:~# ip -6 r
2a02:2f0d:b083:8600::/64 dev br-lan proto kernel metric 256
unreachable 2a02:2f0d:b083:8600::/64 dev lo proto static metric 2147483647 error -128
fd5f:9d59:d6cb::/60 dev br-lan proto kernel metric 256
unreachable fd5f:9d59:d6cb::/48 dev lo proto static metric 2147483647 error -128
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0.2 proto kernel metric 256
fe80::/64 dev br-lan proto kernel metric 256
fe80::/10 dev pppoe-wan metric 1
fe80::/10 dev pppoe-wan proto kernel metric 256

comment:2 Changed 4 years ago by Viper <viper0508@…>

Same here, it started at r38504, i reverted the change to firewall.hotplug as a temporary fix, all seems ok (firewall reloads on normal conditions)

Fri Nov  1 23:25:12 2013 daemon.notice netifd: Interface 'wan6' is now up
Fri Nov  1 23:25:12 2013 user.notice firewall: Reloading firewall due to ifup of wan6 (pppoe-wan)

comment:3 Changed 4 years ago by aditza

i think i tracked down a partial solution for this, in forum thread https://forum.openwrt.org/viewtopic.php?id=46872

quote:
a temporary hack to block the restart is to add the following just prior to the 'restart_affected "$INTERFACE"' call in /etc/hotplug.d/iface/30-6relay:

[ "$ACTION" != "ifupdate" ] || exit 0

the reason is that up until recently, the hotplug code only ran for ifup/ifdown events and it didnt matter if fw was reset.

the ifupdate event is new and now it matters.

/endquote

This also will fix partially the IPv6 connectivity loss that i've been experiencing with Daniel's trunk builds (wr1043nd user here, using the latest trunk build that he has available on ip6.ro: r38486).. now instead of permanently losing connectivity and requiring an interface up/down state reset the connectivity loss is only temporary and happens only every hour but the connection comes back up.
I still dont know what causes the hourly reset yet.. but it's better than having the firewall reset every minute and having the IPv6 connection die after only a few minutes.

EDIT:
i think i tracked down why the hourly IPv6 connection reset happens even if the IPv4 connection remains unaffected: the reason seems to be that my isp (RCS-RDS) has set the lease time for DHCPv6 address allocations to 60 minutes.
When the lease time is up ALL the IPv6 connections are reset by the router because instead of simply renewing the lease it's bringing the IPv6 connection down and back up immediately... the router gets assigned the same IPv6 address by the isp's dhcpv6 server but the ipv6 clients behind the dhcp6 relay will get a different IP6 address allocated.

This will break HARD any IPv6 connection that was active on the client computer and it's impossible to maintain long duration IPv6 connections active. e.g. playing World of Warcraft on an IPv6 connection = i get disconnected every hour, falling back to IPv4 connections is the only solution for me to avoid disconnects at this time.

Last edited 4 years ago by aditza (previous) (diff)

comment:4 Changed 4 years ago by risa2000

running r38820 on TL-WR1043ND I am seeing the same "spam" in logread:

Wed Nov 20 19:28:17 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Wed Nov 20 19:34:14 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Wed Nov 20 19:43:06 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Wed Nov 20 19:47:05 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Wed Nov 20 19:55:45 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Wed Nov 20 20:04:47 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Wed Nov 20 20:11:58 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Wed Nov 20 20:21:42 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()

It looks that ifup happens when the my ISP router sends router advertisement

20:21:41.229093 IP6 fe80::207:cbff:aaaa:bbbb > ff02::1: ICMP6, router advertisement, length 104
20:21:41.247263 IP6 fe80::207:cbff:aaaa:bbbb > ff02::1:ff60:4ea5: ICMP6, neighbor solicitation, who has 2a01:e35:xxxx:yyyy:zzzz:4eff:fe60:4ea5, length 32

I suspect it is odhcp6c which registers this advertisement and updates default gateway for IPv6. But I do not understand (and that might be the problem here) why it triggers ifup event, if the advertised route is always the same?

Having the firewall reloading itself every 7 minutes is not very healthy.

[Note: I receive router advertisements because my ISP (Free in France) provides only ::/64 subnet to the home network. Which means the IPv6 connection is not routed but simply "broadcasted" to the connected nodes (open-wrt is one and only one node connected to ISP router). IPv6 connectivity is then "propagated" through open-wrt to the lan interface by 6relayd.]

Last edited 4 years ago by risa2000 (previous) (diff)

comment:5 Changed 4 years ago by anonymous

Same issue with ipv6 (over pppoe) with OTE, Greece. Firewall reloads every 2 minutes here..

comment:6 Changed 4 years ago by anonymous

same here on r38896; WAN provider is PPPoE with prefix delegation.

WAN isp side has configured on the virtual-template

!

ipv6 nd ra interval 900

!

and wan6 on OpenWRT does an quick down/up every RA;

Mon Nov 25 16:05:49 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 16:18:37 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 16:33:34 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 16:45:58 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 16:57:47 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 17:09:22 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 17:22:40 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 17:35:33 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 17:49:47 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 18:02:27 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 18:15:52 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 18:27:14 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 18:41:46 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 18:55:36 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 19:10:07 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Mon Nov 25 19:24:53 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()

comment:7 Changed 4 years ago by anonymous

I have the same issue running r38990

Wed Dec 4 21:47:33 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Wed Dec 4 21:49:05 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Wed Dec 4 21:50:30 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Wed Dec 4 21:52:19 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()

comment:8 Changed 4 years ago by anonymous

Same here (OpenWrt Barrier Breaker r38999):

Sat Dec 14 21:57:54 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Sat Dec 14 21:58:54 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Sat Dec 14 21:59:54 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Sat Dec 14 22:00:54 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()
Sat Dec 14 22:01:54 2013 user.notice firewall: Reloading firewall due to ifup of wan6 ()

comment:9 follow-up: Changed 4 years ago by anonymous

maybe you could NOT reload the firewall if the IP does not change

also when the firewall reloads it will ignore /etc/firewall.user

comment:10 in reply to: ↑ 9 Changed 4 years ago by risa2000

Replying to anonymous:

maybe you could NOT reload the firewall if the IP does not change

also when the firewall reloads it will ignore /etc/firewall.user

Firewall reloads on ifup event. This is technically correct behavior. Problem is that this event should not be generated for regular router advertising when the routing does not change.

comment:12 Changed 4 years ago by anonymous

This ticket should be closed as fixed thanks to r39332

comment:13 Changed 4 years ago by nbd

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.