thr3ads.net - Shorewall users - broadcasts in IPv6? [Jul 2014]

If this information is useful, please help other people find it:
Share via:
Michael Roth
2014-Jul-18 23:10 UTC
broadcasts in IPv6?

Hello,

I came across a problem using shorewall6 version 4.5.21.6.  I think it 
all boils down to "there are no broadcast addresses in IPv6".

For demonstration purpose, network interface (dummy device, just for 
describing the problem) is configured like:

    eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state 
UNKNOWN group default
     link/ether 16:ac:09:2b:bc:42 brd ff:ff:ff:ff:ff:ff
     inet6 2001:db8::/64 scope global
        valid_lft forever preferred_lft forever
     inet6 fe80::14ac:9ff:fe2b:bc42/64 scope link
        valid_lft forever preferred_lft forever

The assigned address is 2001:db8::/64 which is a perfectly legal IPv6 
address for an link.  It is nothing special compared to 2001:db8::1/64.

Trivial shorewall6 configuration:

zones:
###############################################################################
   #ZONE   TYPE            OPTIONS         IN OUT
   #                                       OPTIONS OPTIONS
   fw      firewall
   net     ipv6

interfaces:
###############################################################################
   #ZONE           INTERFACE               OPTIONS
   net             eth1

policy:
###############################################################################
   #SOURCE DEST    POLICY          LOG     LIMIT: CONNLIMIT:
   #                               LEVEL   BURST           MASK
   fw      net     ACCEPT
   net     fw      REJECT          info
   all     all     REJECT          info


Excerpt of created ip6tables rules:

   Chain Broadcast (1 references)
    pkts bytes target     prot opt in     out source               
destination
       0     0 DROP       all      *      * ::/0                 2001:db8::
       0     0 DROP       all      *      * ::/0                 
2001:db8::ffff:ffff:ff80/121
       0     0 DROP       all      *      * ::/0                 ff00::/8

First rule is wrong because 2001:db8:: is our address on the link which 
is not a broadcast address nor is in any case special. Second rule looks 
totally crude to me and I don't understand the purpose.   Third rule is 
multicast.  Don't know how shorewall6 is designed to handle this because 
it includes anycast addresses too.  (These rules are repeated in the 
"reject" chain.)

This issue results in the error that packets which should be rejected 
and logged as stated in the policy file gets simply dropped without logging.

Of course, if you change the address of the interface to 2001:db8::1/64 
all seems to work ok, but the wrong rules are still present. Maybe the 
whole idea of broadcasts should be dropped in shorewall6?


Michael Roth



------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Shorewall users - Jul 2014 - broadcasts in IPv6?

broadcasts in IPv6?
