Bruce S. Skinner
2013-Nov-11 02:00 UTC
shorewall6 ipv6 does not support BROADCAST matching
Gentlepeople,
Shorewall6 starts successfully, but during:
Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast...
the kernel issues the message:
xt_addrtype: ipv6 does not support BROADCAST matching
Distribution: Debian 7
kernel: 3.2.0
shorewall6 version: 4.5.5.3
shorewall config: /usr/share/doc/shorewall6/examples/two-interfaces
I didn''t think there was any such thing as a broadcast address in ipv6,
just multicast and anycast addresses. Can someone shed some light on
what this all means?
The Broadcast chain looks like this.
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all any any anywhere
2001:5c0:1505:f900::/128
0 0 DROP all any any anywhere
2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121
0 0 DROP all any any anywhere ff00::/8
Does this mean that datagrams addressed to:
the subnet router anycast address (2001:5c0:1505:f900::/128),
all other anycast addresses
(2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121),
all multicast addresses (ff00::/8)
will be dropped? or not?
I''m not a Perl programmer, so be gentle with me, but
/usr/share/shorewall6/action.Broadcast references 3 destination types
BROADCAST, MULTICAST & ANYCAST. Am I correct in assuming that the 3
rules in the above broadcast chain apply to just 2 of the destination
types i.e. MULTICAST & ANYCAST?
regards :-)
BruceS
--
“Sixty years ago I knew everything; now I know nothing; education is a
progressive discovery of our own ignorance.” -- Will Durant
Bruce Skinner
Norstead Farm
1427 Prospect Rd.
Rockland NS
B0P 1V0
CANADA
Tel: + 1 902 538 1765
Mobile: + 1 902 670 6456
<mailto:Bruce.Skinner@norsteadfarm.ca>
<xmpp:norsteadfarmer@jabber.org>
-- For "Big Brother" like (i.e. NSA, CSE, GCHQ) automata:
JPL embassy KGB 64 Vauxhall Cross oil supercomputer Commecen FIPS140 CIA
George W. Bush Crypto AG strategic kilderkin Guantanamo ASPIC
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
On 11/10/2013 6:00 PM, Bruce S. Skinner wrote:> Gentlepeople, > > Shorewall6 starts successfully, but during: > Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast... > > the kernel issues the message: > xt_addrtype: ipv6 does not support BROADCAST matchingThat message is the result of the Shorewall compiler probing your ip6tables and kernel to determine what capabilities they support. As indicated in the message, the ''addrtype match'' capability is not available.> > Distribution: Debian 7 > kernel: 3.2.0 > shorewall6 version: 4.5.5.3 > shorewall config: /usr/share/doc/shorewall6/examples/two-interfaces > > I didn''t think there was any such thing as a broadcast address in ipv6, > just multicast and anycast addresses. Can someone shed some light on > what this all means?The Shorewall6 action.Broadcast file is a near clone of the one for ipv4 and therefore references broadcast.> > The Broadcast chain looks like this. > > Chain Broadcast (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all any any anywhere 2001:5c0:1505:f900::/128 > 0 0 DROP all any any anywhere 2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121 > 0 0 DROP all any any anywhere ff00::/8Please never use the ip[6]tables command without the -n and the -V options. Otherwise, the output is misleading and quite useless.> > Does this mean that datagrams addressed to: > the subnet router anycast address (2001:5c0:1505:f900::/128), > all other anycast addresses (2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121), > all multicast addresses (ff00::/8) > will be dropped? or not?It does if they are sent through the Broadcast chain. That chain is jumped to from the Drop and Reject default actions. It prevents: a) Multicast/anycast packets will not be logged. b) Multicast/anycast packets will not be handled using the REJECT target. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Bruce S. Skinner
2013-Nov-11 17:29 UTC
Re: shorewall6 ipv6 does not support BROADCAST matching
Thanks Tom, that clears up all the questions I had. regards :-) BruceS Tom Eastep <teastep@shorewall.net> writes:> On 11/10/2013 6:00 PM, Bruce S. Skinner wrote: >> Gentlepeople, >> >> Shorewall6 starts successfully, but during: >> Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast... >> >> the kernel issues the message: >> xt_addrtype: ipv6 does not support BROADCAST matching > > That message is the result of the Shorewall compiler probing your > ip6tables and kernel to determine what capabilities they support. As > indicated in the message, the 'addrtype match' capability is not available. > >> >> Distribution: Debian 7 >> kernel: 3.2.0 >> shorewall6 version: 4.5.5.3 >> shorewall config: /usr/share/doc/shorewall6/examples/two-interfaces >> >> I didn't think there was any such thing as a broadcast address in ipv6, >> just multicast and anycast addresses. Can someone shed some light on >> what this all means? > > The Shorewall6 action.Broadcast file is a near clone of the one for ipv4 > and therefore references broadcast. > >> >> The Broadcast chain looks like this. >> >> Chain Broadcast (2 references) >> pkts bytes target prot opt in out source destination >> 0 0 DROP all any any anywhere 2001:5c0:1505:f900::/128 >> 0 0 DROP all any any anywhere 2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121 >> 0 0 DROP all any any anywhere ff00::/8 > > Please never use the ip[6]tables command without the -n and the -V > options. Otherwise, the output is misleading and quite useless. > >> >> Does this mean that datagrams addressed to: >> the subnet router anycast address (2001:5c0:1505:f900::/128), >> all other anycast addresses (2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121), >> all multicast addresses (ff00::/8) >> will be dropped? or not? > > It does if they are sent through the Broadcast chain. That chain is > jumped to from the Drop and Reject default actions. It prevents: > > a) Multicast/anycast packets will not be logged. > b) Multicast/anycast packets will not be handled using the REJECT target. > > -Tom-- “Sixty years ago I knew everything; now I know nothing; education is a progressive discovery of our own ignorance.” -- Will Durant Bruce Skinner Norstead Farm 1427 Prospect Rd. Rockland NS B0P 1V0 CANADA Tel: + 1 902 538 1765 Mobile: + 1 902 670 6456 <mailto:Bruce.Skinner@norsteadfarm.ca> <xmpp:norsteadfarmer@jabber.org> -- For "Big Brother" like (i.e. NSA, CSE, GCHQ) automata: Rubin John Kerry kilo class Aldergrove World Trade Center Kennedy wire transfer SAPO Ruby Ridge Cohiba Commecen EuroFed spies Merlin GCHQ ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users