Thanks for jumping in to help!
I have gone through and removed all IPv6 references in /boot/loader.conf
/etc/sysctl.conf and /etc/rc.conf as well as the /etc/ipf.rules and even
checked the /etc/ipnat.rules -- I only found one reference to ipv6 routing
(turning it off). I removed that and found no difference.
I found this though - tell me what you think: When I use my own reload
command I do NOT get the SIOCIPFL6 error, but I DO get it when I use the
"/etc/rc.d/ipfilter retart" command. So I looked into that script and I see
these bits of code:
stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
start_precmd="$stop_precmd"
restart_precmd="$stop_precmd"
Since ipfilter seems to be running OK when I run my own command to start it
and I get this error when the system starts it during boot or with a
start/restart I was thinking that it might be this bit that is causing the
grief.
I changed the script for the system startup to remove the if/fi groups that
reference IPv6 and I changed the stop_precmd above and removed IPv6 from the
test. I have tested the script and it works like a charm!
Since this box has the FreeBSD kernel build set for IPv4 only and all
references to IPv6 are removed and ipfilter does not attempt to load IPv6
anymore, I think I am safe from having to deal with IPv6 -- right?
Anyway, thank you for sending me down the right track. I hope that this
proves to help someone with the same problem and perhaps will lead the
FreeBSD folks to update their ipfilter start up script to avoid the issues.
Thanks again!
-- Jeff
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Ashwani Wason
Sent: Thursday, May 07, 2009 1:34 PM
To: [email protected]
Cc: [email protected]
Subject: Re: ioctl(SIOCIPFL6): Invalid argument
Jeff,
I am not familiar with IP filter operation on FreeBSD. But here's my input
FWIW after a quick code inspection...
1. EINVAL is expected from the kernel if you disabled support for IPv6. It
basically means that the ioctl is not supported.
2. If that is the case then the user space should not give any option to any
IP filter tool that could exercise IPv6.
3. In your case it looks like the tool 'ipf' is doing so.
4. Check your ipf.conf (firewall rules file; location not known to me on
FreeBSD) and make sure that there are no IPv6 rules.
5. Check your init script (or whatever starts IP filter on FreeBSD) and make
sure that the option -6 is not being given to it.
It looks to me that during startup the ipf tool is trying to flush all
v6 rules and hence this error. I also think that you should be concerned
with this because I looked at the source code of the tool and it exits once
it hits this error. So it will not do any other actions that you meant for
it.
- Ashwani
On Thu, May 7, 2009 at 9:33 AM, Jeffrey D. Brower <[email protected]>
wrote:
> I found the (add/insert rule):File exists problem. I had duplicate
> rules in the ruleset!
>
> I still get the SIOCIPFL6 problem. I suspect it is a problem with IPv6.
> When I did the build world on this box I disabled IPv6 and I suspect
> that something in IPFilter is trying to use it - but darned if I can
> figure out where. Any thoughts? What can I supply to you guys that
> might help you help me?
>
> -- Jeff
>
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Jeffrey D.
> Brower
> Sent: Wednesday, May 06, 2009 9:46 PM
> To: [email protected]
> Subject: ioctl(SIOCIPFL6): Invalid argument
>
> Greetings all!
>
> I am building a new FreeBSD box for a firewall. The last one was
> running
> 3.4.31 so I guess it was time. <grin>
>
> I get this set of messages (new to me) when I am booting:
>
> Enabling ipfilter
> 361:ioctl(add/insert rule):File exists
> 423:ioctl(add/insert rule):File exists
> 703:ioctl(add/insert rule):File exists
> 1:ioctl(add/insert rule):File exists
> ioctl(SIOCIPFL6): Invalid argument
> Installing NAT rules.
> 0 entries flushed from NAT table
> 0 entries flushed from NAT list
>
> I am concerned that lines 2 through 6 are errors, but my attention is
> obviously drawn to the last one of the set of errors since it says
> "Invalid argument". I can't find this on the list and Google was not
> my friend, so I thought I would ask you fine folks if my ship was sinking.
>
> What exactly is ipfilter telling me, do I need to be worried and what
> can I do to get a clean boot?
>
> Thanks for your help!
>
> -- Jeff
>
>
