On 7/18/2014 4:10 PM, Michael Roth wrote: > Hello, > > I came across a problem using shorewall6 version 4.5.21.6. I think it > all boils down to "there are no broadcast addresses in IPv6". > > For demonstration purpose, network interface (dummy device, just for > describing the problem) is configured like: > > eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state > UNKNOWN group default > link/ether 16:ac:09:2b:bc:42 brd ff:ff:ff:ff:ff:ff > inet6 2001:db8::/64 scope global > valid_lft forever preferred_lft forever > inet6 fe80::14ac:9ff:fe2b:bc42/64 scope link > valid_lft forever preferred_lft forever > > The assigned address is 2001:db8::/64 which is a perfectly legal IPv6 > address for an link. It is nothing special compared to 2001:db8::1/64. > > Trivial shorewall6 configuration: > > zones: > ############################################################################### > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv6 > > interfaces: > ############################################################################### > #ZONE INTERFACE OPTIONS > net eth1 > > policy: > ############################################################################### > #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: > # LEVEL BURST MASK > fw net ACCEPT > net fw REJECT info > all all REJECT info > > > Excerpt of created ip6tables rules: > > Chain Broadcast (1 references) > pkts bytes target prot opt in out source > destination > 0 0 DROP all * * ::/0 2001:db8:: > 0 0 DROP all * * ::/0 > 2001:db8::ffff:ffff:ff80/121 > 0 0 DROP all * * ::/0 ff00::/8 > > First rule is wrong because 2001:db8:: is our address on the link which > is not a broadcast address nor is in any case special. Second rule looks > totally crude to me and I don't understand the purpose. Third rule is > multicast. Don't know how shorewall6 is designed to handle this because > it includes anycast addresses too. (These rules are repeated in the > "reject" chain.) > > This issue results in the error that packets which should be rejected > and logged as stated in the policy file gets simply dropped without logging. > > Of course, if you change the address of the interface to 2001:db8::1/64 > all seems to work ok, but the wrong rules are still present. Maybe the > whole idea of broadcasts should be dropped in shorewall6?
Has RFC 2526 been rescinded? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
