[Firehol-devs] IPv6 neighbor discovery not working with an allow-everything interface
Andreas Unterkircher
unki at netshadow.at
Mon Jan 13 07:53:21 GMT 2014
Hi,
I guess we should note somewhere, that even an interface that accepts
everything in & out will not permit IPv6 neighbor- and
router-discovery on that interface. "all" only permits stateful packet
behavior while ND and RD are working "stateless" (or at least
conntrack cannot track them) and will get filtered.
interface eth0 TRANSIT
client all accept
server all accept
leads to kernel message ICMPv6 being filtered:
Jan 13 07:36:07 rtr-dmzhl kernel: [1814123.724008] IN-transit:IN=eth0
OUT= MAC=33:33:ff:00:00:7b:00:14:38:ff:ff:06:86:dd
SRC=2a04:ffff:f000:0003:0000:0000:0000:007a
DST=ff02:0000:0000:0000:0000:0001:ff00:007b LEN=72 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
Jan 13 07:36:08 rtr-dmzhl kernel: [1814124.723835] IN-transit:IN=eth0
OUT= MAC=33:33:ff:00:00:7b:00:14:38:ff:ff:06:86:dd
SRC=2a04:ffff:f000:0003:0000:0000:0000:007a
DST=ff02:0000:0000:0000:0000:0001:ff00:007b LEN=72 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
Jan 13 07:36:10 rtr-dmzhl kernel: [1814126.726273] IN-transit:IN=eth0
OUT= MAC=33:33:ff:00:00:7b:00:14:38:ff:ff:06:86:dd
SRC=2a04:ffff:f000:0003:0000:0000:0000:007a
DST=ff02:0000:0000:0000:0000:0001:ff00:007b LEN=72 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
Jan 13 07:36:11 rtr-dmzhl kernel: [1814127.732068] IN-transit:IN=eth0
OUT= MAC=33:33:ff:00:00:7b:00:14:38:ff:ff:06:86:dd
SRC=2a04:ffff:f000:0003:0000:0000:0000:007a
DST=ff02:0000:0000:0000:0000:0001:ff00:007b LEN=72 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
Only explicitly adding ipv6neigh and ipv6router (later if required)
will make this setup work.
# Internal Transit interface
interface eth0 TRANSIT
client all accept
server all accept
server "ipv6neigh ipv6router" accept
client "ipv6neigh ipv6router" accept
Cheers,
Andreas
More information about the Firehol-devs
mailing list