Project

General

Profile

Actions

Bug #14692

open

Mangled link-local addresses are being logged

Added by Daryl Morse almost 2 years ago. Updated 7 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
System Logs
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:
amd64

Description

My system is logging discarded ping request messages from a link-local address, as is expected.

Here is an example of some of these messages:

Aug 17 13:23:56 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:23:52 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:23:48 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:09:03 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:08:59 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:08:55 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:16 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxxb00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:12 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:08 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1

All of these messages begin with fe80:5, which is not a valid link-local address format. In order to see if these are the actual messages, I used wireshark. I found that the addresses are being mangled. All of the actual addresses begin with fe80::, not fe80:5, so the addresses are being mangled.

ASIDE: I don't know what hosts or routers are the source of these messages. I will investigate that separately.

Actions #1

Updated by Daryl Morse over 1 year ago

Daryl Morse wrote:

My system is logging discarded ping request messages from a link-local address, as is expected.

Here is an example of some of these messages:

Aug 17 13:23:56 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:23:52 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:23:48 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:09:03 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:08:59 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:08:55 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:16 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxxb00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:12 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:08 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1

All of these messages begin with fe80:5, which is not a valid link-local address format. In order to see if these are the actual messages, I used wireshark. I found that the addresses are being mangled. All of the actual addresses begin with fe80::, not fe80:5, so the addresses are being mangled.

ASIDE: I don't know what hosts or routers are the source of these messages. I will investigate that separately.

I have no idea what host or router is responsible for the messages. Regardless of whether there is a reason for them to be sent, they are being mangled by FreeBSD or pfSense, which must be a bug.

Actions #2

Updated by Daryl Morse 7 days ago

Since the last update, the version of pfSense is now 2.7.2.

Previously, I had only seen the discarded messages being addressed to 2001:569:xxxx:b00:1:b3ff:fedd:9f24, which is a RIPE Atlas Probe that is connected to my LAN.

However, I have since noticed similar messages being addressed to other devices on my network. I don't have an example of such messages, but they are all similar, beginning with fe80:5, which is invalid.

I have also noticed outbound messages being discarded. Here are two examples:

cannot forward src fe80:6::e479:xxxx:xxxx:3a14, dst 2a03:2880:f201:c6:face:b00c:0:7260, nxt 58, rcvif hn1, outif hn0
cannot forward src fe80:6::e479:xxxx:xxxx:3a14, dst 2607:f8b0:400a:804::200a, nxt 58, rcvif hn1, outif hn0

Both of these messages are from a mobile phone. One appears to be related to WhatsApp and the other appears to be related to Google. (The phone is a pixel.) Note that they both begin with fe80:6, which is invalid.

I don't have a wireshark capture of any outgoing messages.

Normally, I would expect any message in the log to be there for a logical reason, but the reason for these messages is not obvious.

Is there anything else I could do to investigate?

Actions

Also available in: Atom PDF