Project

General

Profile

Actions

Bug #3395

closed

DHCPv6 client pass rules need to come before bogons

Added by Chris Buechler almost 11 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
DHCP (IPv6)
Target version:
Start date:
01/14/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1-IPv6
Affected Architecture:

Description

8000::/1 is included in Cymru's v6 bogons list. That's sane, since it shouldn't be in the Internet routing table, but it breaks DHCPv6 clients as it blocks Advertise replies, which come from fe80 addresses. The best fix is probably moving the "allow dhcpv6 client" pass rules above the bogons block.

Actions #1

Updated by Renato Botelho almost 11 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Chris Buechler almost 11 years ago

  • Status changed from Feedback to Resolved

works

Actions #4

Updated by Paul K almost 10 years ago

I am experiencing this issue with v2.2. Rules look like this:

@51(1000001551) block drop in log quick on vmx0 from <bogons:3407> to any label "block bogon IPv4 networks from WAN" 
@52(1000001552) block drop in log quick on vmx0 from <bogonsv6:56131> to any label "block bogon IPv6 networks from WAN" 
@53(1000001561) pass in quick on vmx0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" 
@54(1000001562) pass in quick on vmx0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" 
@55(1000001563) pass out quick on vmx0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" 

as you can see bogon rules are placed before dhcpv6 rules.

It seems like the fix for this bug was undone with commit 59c0272ec779cb917e5e1cabe779cc03bea7be47

Actions #5

Updated by Kill Bill almost 10 years ago

Yes, this yet again got broken.

Actions #6

Updated by Chris Buechler almost 10 years ago

  • Status changed from Resolved to Feedback
  • Target version changed from 2.1.1 to 2.2.1

Indeed. Fixed again, and added a comment that will hopefully prevent this from ever getting broken again.

Actions #7

Updated by Paul K almost 10 years ago

Tested the patch on v2.2. Rules are now appearing in the correct order and DHCPv6 messages are not getting blocked.

@51(1000000561) pass in quick on vmx0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" 
@52(1000000562) pass in quick on vmx0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" 
@53(1000000563) pass out quick on vmx0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" 
@54(1000001561) block drop in log quick on vmx0 from <bogons:3407> to any label "block bogon IPv4 networks from WAN" 
@55(1000001562) block drop in log quick on vmx0 from <bogonsv6:56131> to any label "block bogon IPv6 networks from WAN

Thanks for fixing this again Chris.

Actions #8

Updated by Chris Buechler almost 10 years ago

  • Status changed from Feedback to Resolved

thanks for confirming.

Actions #9

Updated by John Hood over 8 years ago

This issue seems to have reappeared, though the separation of the rules involves suggests the exact cause might be different:

@62(11000) block drop in log quick on em1 from <bogonsv6:68342> to any label "block bogon IPv6 networks from LAN" 
  [ Skip steps: d=75 p=73 sp=73 da=73 dp=73 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
@76(1000002651) pass quick on em1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" 
  [ Skip steps: i=82 d=80 f=82 p=82 sa=79 sp=81 dp=78 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
@77(1000002652) pass quick on em1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" 
  [ Skip steps: i=82 d=80 f=82 p=82 sa=79 sp=81 da=79 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
@78(1000002653) pass quick on em1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" 
  [ Skip steps: i=82 d=80 f=82 p=82 sp=81 dp=80 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
@79(1000002654) pass quick on em1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" 
  [ Skip steps: i=82 f=82 p=82 sp=81 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
@80(1000002655) pass in quick on em1 inet6 proto udp from fe80::/10 to 2001:470:8bf0:1::1 port = dhcpv6-client keep state label "allow access to DHCPv6 server" 
  [ Skip steps: i=82 f=82 p=82 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
@81(1000002656) pass out quick on em1 inet6 proto udp from 2001:470:8bf0:1::1 port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server" 
  [ Skip steps: dp=90 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]

This occurs on a system with DHCPv6 and "Block bogon networks" enabled on LAN0. Disabling bogons for the LAN interface causes DHCP6 to start working again.

I spent a while debugging this, at least I'm glad to know it's a well known problem :)

Actions #10

Updated by John Hood over 8 years ago

Oh, yes: 2.3-RELEASE amd64, originally installed with 2.2.1 or so and upgraded, and finally deployed after the upgrade.

Actions #11

Updated by Chris Buechler over 8 years ago

John Hood wrote:

This issue seems to have reappeared

No, this was DHCPv6 client, you're referring to server. Unrelated. There is a separate ticket for bogons and DHCPv4 which is the same as this effectively. There's no reason to block bogon sources on your LAN in most all cases, that's for Internet connections.

Actions

Also available in: Atom PDF