Hello,
I came across a problem using shorewall6 version 4.5.21.6. I think it
all boils down to "there are no broadcast addresses in IPv6".
For demonstration purpose, network interface (dummy device, just for
describing the problem) is configured like:
eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN group default
link/ether 16:ac:09:2b:bc:42 brd ff:ff:ff:ff:ff:ff
inet6 2001:db8::/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::14ac:9ff:fe2b:bc42/64 scope link
valid_lft forever preferred_lft forever
The assigned address is 2001:db8::/64 which is a perfectly legal IPv6
address for an link. It is nothing special compared to 2001:db8::1/64.
Trivial shorewall6 configuration:
zones:
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv6
interfaces:
###############################################################################
#ZONE INTERFACE OPTIONS
net eth1
policy:
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
fw net ACCEPT
net fw REJECT info
all all REJECT info
Excerpt of created ip6tables rules:
Chain Broadcast (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0 2001:db8::
0 0 DROP all * * ::/0
2001:db8::ffff:ffff:ff80/121
0 0 DROP all * * ::/0 ff00::/8
First rule is wrong because 2001:db8:: is our address on the link which
is not a broadcast address nor is in any case special. Second rule looks
totally crude to me and I don't understand the purpose. Third rule is
multicast. Don't know how shorewall6 is designed to handle this because
it includes anycast addresses too. (These rules are repeated in the
"reject" chain.)
This issue results in the error that packets which should be rejected
and logged as stated in the policy file gets simply dropped without logging.
Of course, if you change the address of the interface to 2001:db8::1/64
all seems to work ok, but the wrong rules are still present. Maybe the
whole idea of broadcasts should be dropped in shorewall6?
Michael Roth
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
