I have this strange problem where ICMP6 router advertisement responses
are not making out to their requester.
My OUTPUT chain looks like:
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
49623 4936K accounting
On 03/26/2018 04:18 PM, Brian J. Murrell wrote:
> I have this strange problem where ICMP6 router advertisement responses
> are not making out to their requester.
>
Which kernel version? A number of us have seen this problem (it
currently exists in RHEL 7) which is traceable to a kernel issue.
-T
On Tue, 2018-03-27 at 10:18 -0700, Tom Eastep wrote:
>
> Which kernel version?
4.4.92 on LEDE 17.01.4.
> A number of us have seen this problem (it
> currently exists in RHEL 7)
Who backport *tons* of stuff to their "3.10.0" kernel.
> which is traceable to a kernel issue.
Do you have a link to
On 03/27/2018 10:48 AM, Brian J. Murrell wrote:
> On Tue, 2018-03-27 at 10:18 -0700, Tom Eastep wrote:
>>
>> Which kernel version?
>
> 4.4.92 on LEDE 17.01.4.
>
>> A number of us have seen this problem (it
>> currently exists in RHEL 7)
>
> Who backport *tons* of stuff to their "3.10.0" kernel.
On Tue, 2018-03-27 at 12:44 -0700, Tom Eastep wrote:
>
> I've asked the maintainer of Foobar Linux, a RHEL-based distribution,
> for details. He found a neighbor discovery cleanup patch from way
> back
> in 2014 that solved the problem for him.
Do we have a copy of this patch or know where it is
Brian,
> How do you discover the link-local address for the upstream router?
You can try on your shorewall box
*ip -6 neigh show dev eth0 *
where eth0 is the interface to your upstream router
if it answers something like
*fe80::1abc:2def:fe65:fcf2* lladdr 18:e7:28:65:fc:f2 router STALE
this wou
On 03/28/2018 03:30 AM, Brian J. Murrell wrote:
> On Tue, 2018-03-27 at 12:44 -0700, Tom Eastep wrote:
>>
>> I've asked the maintainer of Foobar Linux, a RHEL-based distribution,
>> for details. He found a neighbor discovery cleanup patch from way
>> back
>> in 2014 that solved the problem for him.
On 03/28/2018 08:36 AM, Tom Eastep wrote:
> On 03/28/2018 03:30 AM, Brian J. Murrell wrote:
>> On Tue, 2018-03-27 at 12:44 -0700, Tom Eastep wrote:
>>>
>>> I've asked the maintainer of Foobar Linux, a RHEL-based distribution,
>>> for details. He found a neighbor discovery cleanup patch from way
>>>
On Tue, 2018-03-27 at 12:44 -0700, Tom Eastep wrote:
>
> I've asked the maintainer of Foobar Linux, a RHEL-based distribution,
> for details.
Did you get any response to this query?
> He found a neighbor discovery cleanup patch from way back
> in 2014 that solved the problem for him.
This would
On Mon, 04 Jun 2018 13:32:16 -0400
"Brian J. Murrell" wrote:
> On Tue, 2018-03-27 at 12:44 -0700, Tom Eastep wrote:
> >
> > I've asked the maintainer of Foobar Linux, a RHEL-based
> > distribution, for details.
Update to centos 7 latest kernels (3.10.0-862.*.el7) will fix the
issue. Big ipv6
On Mon, 2018-06-04 at 23:51 +0300, Tuomo Soini wrote:
>
> Update to centos 7 latest kernels (3.10.0-862.*.el7) will fix the
> issue.
My Shorewall gateway is OpenWRT, so identifying particular patches
would still be most useful, so that I get patch and build locally as
well as get them upstream.
On Mon, 04 Jun 2018 21:12:54 -0400
"Brian J. Murrell" wrote:
> On Mon, 2018-06-04 at 23:51 +0300, Tuomo Soini wrote:
> >
> > Update to centos 7 latest kernels (3.10.0-862.*.el7) will fix the
> > issue.
>
> My Shorewall gateway is OpenWRT, so identifying particular patches
> would still be mos
On Tue, 2018-06-05 at 10:00 +0300, Tuomo Soini wrote:
>
> That's huge patchset which is already in upstream. Upgrade to LEDE
> and
> you should be ok.
I'm already on the latest LEDE (it's actually called OpenWRT now/again)
stable (17.01.4) but 17.01.5 is in the pipeline and I'd like to make
sure
On Mon, 2018-03-26 at 19:18 -0400, Brian J. Murrell wrote:
> I have this strange problem where ICMP6 router advertisement
> responses
> are not making out to their requester.
I have narrowed this down to packet connmarking in the mangle table.
First, my mangle table:
Chain PREROUTING (policy ACC
On 06/05/2018 07:11 AM, Brian J. Murrell wrote:
> On Mon, 2018-03-26 at 19:18 -0400, Brian J. Murrell wrote:
>> I have this strange problem where ICMP6 router advertisement
>> responses
>> are not making out to their requester.
>
> I have narrowed this down to packet connmarking in the mangle tabl
On Thu, 2018-06-07 at 08:37 -0700, Tom Eastep wrote:
>
> In place of your ip6tables command, please try this one:
>
> ip6tables -t mangle -I OUTPUT -p icmpv6 --icmpv6-type 136 -j RETURN
>
> Does that also solve the issue?
No, it doesn't I'm afraid.
Cheers,
b.
signature.asc
Description: This
On 06/11/2018 04:12 AM, Brian J. Murrell wrote:
> On Thu, 2018-06-07 at 08:37 -0700, Tom Eastep wrote:
>>
>> In place of your ip6tables command, please try this one:
>>
>> ip6tables -t mangle -I OUTPUT -p icmpv6 --icmpv6-type 136 -j RETURN
>>
>> Does that also solve the issue?
>
> No, it doesn't I
On Mon, 2018-06-11 at 08:39 -0700, Tom Eastep wrote:
>
> Okay. Provided that your firewall is not an IPSEC endpoint, please
> try
> setting the ZERO_MARKS option in shorewall6.conf.
Assuming you mean setting the ZERO_MARKS option to Yes, that doesn't
resolve the issue either.
Cheers,
b.
signat
18 matches
Mail list logo
