RE: Local IPv6 traffic not send over loopback?

Terrence Koeman Tue, 14 Feb 2012 15:32:13 -0800

On Tue, 14 Feb 2012 at 23:02:26, Freek Dijkstra wrote:

> Hi,
>
> I added a few rules to my firewall to prevent spoofing source IP
> addresses. I encountered some (to me) unexpected behaviour where IPv6
> traffic originating at the host would match an ipfw rule with "in" and
> "recv <interface>" set.
>
> I very much appreciate it if someone could replicate the following
> behaviour, and report the results.
>
> 1. Add a firewall rule:
>    "count log ipv6 from me to me not recv lo0"
> 2. On the host, ping6 to one of it's IP addresses.
>
> Here is the result for me:
>
> 2001:610:767:4ec1::1 is an IPv6 address of my host. So I would expect
> that pinging the IP from host itself would use the loopback interface.
> route get confirms this:
>
> % route get -inet6 2001:610:767:4ec1::1
>    route to: 2001:610:767:4ec1::1
> destination: 2001:610:767:4ec1::1
>   interface: lo0
>       flags: <UP,HOST,DONE,STATIC>
>  recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
>        0         0         0         0     16384         1         0
> However, ipfw thinks the traffic is received through another interface:
>
> % ipfw add 1200 count log ipv6 from me to me     not recv lo0
> % ipfw add 1201 count log ipv6 from me to me out not recv lo0
> % ipfw add 1202 count log ipv6 from me to me in  not recv lo0
> % ping6 -c 1 2001:610:767:4ec1::1
>
>> ipfw: 1200 Count ICMPv6:128.0 [2001:610:767:4ec1::1]
>> [2001:610:767:4ec1::1] in via em3 ipfw: 1202 Count ICMPv6:128.0
>> [2001:610:767:4ec1::1]
> [2001:610:767:4ec1::1] in via em3
>
[snip]


I have replicated what you're doing for ipv4 and ipv6, results are attached.

There is a difference, ping seems to use 127.0.0.1 to send the echo request 
and ping6 doesn't use ::1 to send it. Possibly this is by design.

-- 
Regards,
T. Koeman, MTh/BSc/BPsy; Technical Monk

MediaMonks B.V. (www.mediamonks.com)
Please quote relevant replies in correspondence.

# route get -inet 217.195.117.150
   route to: ns1.mediamonks.net
destination: ns1.mediamonks.net
  interface: lo0
      flags: <UP,HOST,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0     16384         1         0 

------------

# ping -c 1 217.195.117.150
PING 217.195.117.150 (217.195.117.150): 56 data bytes
64 bytes from 217.195.117.150: icmp_seq=0 ttl=64 time=0.028 ms

--- 217.195.117.150 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.028/0.028/0.028/0.000 ms

------------

00011 count log logamount 200 ip from me to me not recv lo0
00012 count log logamount 200 ip from me to me out not recv lo0
00013 count log logamount 200 ip from me to me in not recv lo0

------------

Feb 15 00:17:52 obhasa kernel: ipfw: 11 Count ICMP:8.0 127.0.0.1 
217.195.117.150 out via lo0
Feb 15 00:17:52 obhasa kernel: ipfw: 12 Count ICMP:8.0 127.0.0.1 
217.195.117.150 out via lo0
Feb 15 00:17:52 obhasa kernel: ipfw: 11 Count ICMP:0.0 217.195.117.150 
127.0.0.1 out via lo0
Feb 15 00:17:52 obhasa kernel: ipfw: 12 Count ICMP:0.0 217.195.117.150 
127.0.0.1 out via lo0

------------

# route get -inet6 2a03:5500:236:0:217:195:117:150
   route to: ns1.mediamonks.net
destination: ns1.mediamonks.net
  interface: lo0
      flags: <UP,HOST,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0     16384         1         0 

------------

# ping6 -c 1 2a03:5500:236:0:217:195:117:150
PING6(56=40+8+8 bytes) 2a03:5500:236:0:217:195:117:150 --> 
2a03:5500:236:0:217:195:117:150
16 bytes from 2a03:5500:236:0:217:195:117:150, icmp_seq=0 hlim=64 time=0.274 ms

--- 2a03:5500:236:0:217:195:117:150 ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.274/0.274/0.274/0.000 ms

------------

00001 count log logamount 200 ip6 from me6 to me6 not recv lo0
00002 count log logamount 200 ip6 from me6 to me6 out not recv lo0
00003 count log logamount 200 ip6 from me6 to me6 in not recv lo0

------------

Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:128.0 
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out via lo0
Feb 15 00:19:41 obhasa kernel: ipfw: 2 Count ICMPv6:128.0 
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out via lo0
Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:128.0 
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in via em0
Feb 15 00:19:41 obhasa kernel: ipfw: 3 Count ICMPv6:128.0 
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in via em0
Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:129.0 
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out via lo0
Feb 15 00:19:41 obhasa kernel: ipfw: 2 Count ICMPv6:129.0 
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out via lo0
Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:129.0 
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in via em0
Feb 15 00:19:41 obhasa kernel: ipfw: 3 Count ICMPv6:129.0 
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in via em0

------------

smime.p7s
Description: S/MIME cryptographic signature

RE: Local IPv6 traffic not send over loopback?

Reply via email to