Bug #14692
open
Mangled link-local addresses are being logged
0%
Description
My system is logging discarded ping request messages from a link-local address, as is expected.
Here is an example of some of these messages:
Aug 17 13:23:56 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:23:52 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:23:48 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:09:03 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:08:59 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:08:55 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:16 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxxb00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:12 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:08 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
All of these messages begin with fe80:5, which is not a valid link-local address format. In order to see if these are the actual messages, I used wireshark. I found that the addresses are being mangled. All of the actual addresses begin with fe80::, not fe80:5, so the addresses are being mangled.
ASIDE: I don't know what hosts or routers are the source of these messages. I will investigate that separately.
Updated by Daryl Morse over 1 year ago
Daryl Morse wrote:
My system is logging discarded ping request messages from a link-local address, as is expected.
Here is an example of some of these messages:
Aug 17 13:23:56 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:23:52 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:23:48 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:09:03 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:08:59 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 13:08:55 kernel cannot forward src fe80:5::1cce:5fff:fe02:61b6, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:16 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxxb00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:12 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1
Aug 17 12:17:08 kernel cannot forward src fe80:5::2a0:a50f:fc8a:6ea0, dst 2001:569:xxxx:b00:1:b3ff:fedd:9f24, nxt 58, rcvif hn0, outif hn1All of these messages begin with fe80:5, which is not a valid link-local address format. In order to see if these are the actual messages, I used wireshark. I found that the addresses are being mangled. All of the actual addresses begin with fe80::, not fe80:5, so the addresses are being mangled.
ASIDE: I don't know what hosts or routers are the source of these messages. I will investigate that separately.
I have no idea what host or router is responsible for the messages. Regardless of whether there is a reason for them to be sent, they are being mangled by FreeBSD or pfSense, which must be a bug.
Updated by Daryl Morse 7 days ago
Since the last update, the version of pfSense is now 2.7.2.
Previously, I had only seen the discarded messages being addressed to 2001:569:xxxx:b00:1:b3ff:fedd:9f24, which is a RIPE Atlas Probe that is connected to my LAN.
However, I have since noticed similar messages being addressed to other devices on my network. I don't have an example of such messages, but they are all similar, beginning with fe80:5, which is invalid.
I have also noticed outbound messages being discarded. Here are two examples:
cannot forward src fe80:6::e479:xxxx:xxxx:3a14, dst 2a03:2880:f201:c6:face:b00c:0:7260, nxt 58, rcvif hn1, outif hn0
cannot forward src fe80:6::e479:xxxx:xxxx:3a14, dst 2607:f8b0:400a:804::200a, nxt 58, rcvif hn1, outif hn0
Both of these messages are from a mobile phone. One appears to be related to WhatsApp and the other appears to be related to Google. (The phone is a pixel.) Note that they both begin with fe80:6, which is invalid.
I don't have a wireshark capture of any outgoing messages.
Normally, I would expect any message in the log to be there for a logical reason, but the reason for these messages is not obvious.
Is there anything else I could do to investigate?