Modify

Opened 7 years ago

Closed 7 years ago

#9170 closed defect (fixed)

Luci or openwrt scripts must use icmpv6 for IPv6

Reported by: luizluca@… Owned by: jow
Priority: response-needed Milestone: Backfire 10.03.1
Component: luci Version: Trunk
Keywords: firewall Cc:

Description

Hello,

I created a simple rule to accept any icmp for IPv6

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'ICMPv6'
        option 'src' 'wan'
        option 'dest' 'lan'
        option 'family' 'ipv6'
        option 'proto' 'icmp'

However, this creates no rule at ip6tables. If I force to use proto icmpv6, it works.

We have some options here:

1) openwrt firewall must translate icmp rules to icmpv6 if ipv6 (may not work as icmp and icmpv6 are different)

2) luci must not allow icmp rules with ipv6 ("ipv6-only" or "ipv4 and ipv6"). The interface should force IPv4-only when ICMP is selected. An alternative ICMPv6 proto should be added to combobox. Also, icmpv6 must have its own custom types.

Attachments (0)

Change History (8)

comment:1 Changed 7 years ago by KillaB

Luci aside, your rule works for me (as is) on Backfire r25480 (firewall - 2-21)

comment:2 Changed 7 years ago by luizluca@…

Would you mind to share the "ip6tables -L" result and /etc/config/firewall file?

BTW, I'm using r26391

comment:3 Changed 7 years ago by jkt@…

This effectively means that the default firewall setup prevents any kind of IPv6 connectivity, because the ICMPv6 handles IPv6-to-link addresses translation.

Even the RHEL6 now enables all ICMPv6 on all interfaces, maybe it might be a wise idea to actually not implement a selective whitelist, but allow all packet types here.

comment:4 Changed 7 years ago by jow

  • Owner set to jow
  • Status changed from new to accepted

comment:5 Changed 7 years ago by jow

  • Priority changed from high to response-needed

Should be fixed with r27317 - please test. Note that LuCI is not synced yet, it will not support all additions yet.

comment:6 follow-up: Changed 7 years ago by anonymous

Hi jow, thanks for your changes. I'm not really familiar with the luci config scripts, so maybe I'm not reading them correctly, but I have a few suggestios for the setup nevertheless.

First of all, what is the reason behind providing a selective whitelist of the ICMPv6 packets types to allow over simply accepting all of them? Are there any specific security concerns? Why is there an arbitrary limit of 1000 packets per second?

Why is there a drop rule for leaking router advertisment on wan (ie. is it dropping the outgoing advertisments, or incoming ones)?

In the meanwhile, I've already switched my setup to a custom ruleset (without the various chains from the luci-based setup), so I'm not likely to test the new image, sorry.

comment:7 in reply to: ↑ 6 Changed 7 years ago by jow

Replying to anonymous:

First of all, what is the reason behind providing a selective whitelist of the ICMPv6 packets types to allow over simply accepting all of them? Are there any specific security concerns? Why is there an arbitrary limit of 1000 packets per second?

This is discussed in RFC4890, subsection 3 and 4 - see http://tools.ietf.org/html/rfc4890#section-4 .

The 1000/sec limit is a first guess at rate limiting those messages, it will need to be refined over time.

Why is there a drop rule for leaking router advertisment on wan (ie. is it dropping the outgoing advertisments, or incoming ones)?

It is dropping outgoing advertisements as it may lead to undesired effects in the ISP network (kind of like the known Windows problem where enabling ICS makes it act as IPv6 router).

comment:8 Changed 7 years ago by jow

  • Resolution set to fixed
  • Status changed from accepted to closed

Should be fixed by now

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.