You are not logged in.
My provider gives me a full dual-stack ipv4 / ipv6 connection and I prefer to use IPv6 whenever possible.
I use dhcpcd to manage network connections.
I've setup firewall rules based on nftables - simple stateful firewall - single machine.
# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
iif "lo" accept
ct state invalid drop
ip protocol icmp icmp type echo-request ct state new accept
ip protocol udp ct state new jump UDP
ip protocol tcp tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP
ip protocol udp reject
ip protocol tcp reject with tcp reset
meta nfproto ipv4 counter packets 11 bytes 396 reject with icmp type prot-unreachable
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
chain TCP {
tcp dport 57152 accept
}
chain UDP {
udp dport 57152 accept
}
}
#
With those rules my network card does get IPv4 routes and an IPv4 address, but only an ipv6 addresss that starts with fe80:: ( link local address ?) .
When I disable nftables.service the card does get both ipv6 and ipv4 routes & addresses (Log snippets at bottom).
It does look like my ruleset is blocking too much, but I have no clue what rules I should add to allow dhcpv6 traffic.
Please help.
---------------
with nftables.service enabled
$ journalctl -b -1 -t dhcpcd
-- Logs begin at Sun 2018-12-02 03:11:59 CET, end at Mon 2019-06-17 15:33:06 CEST. --
jun 17 11:51:20 silverbolt dhcpcd[798]: enp4s0: waiting for carrier
jun 17 11:51:23 silverbolt dhcpcd[798]: enp4s0: carrier acquired
jun 17 11:51:23 silverbolt dhcpcd[798]: DUID 00:04:ac:c2:85:70:83:86:00:00:00:00:00:00:00:00:00:00
jun 17 11:51:23 silverbolt dhcpcd[798]: enp4s0: IAID c2:ac:86:81
jun 17 11:51:23 silverbolt dhcpcd[798]: enp4s0: adding address fe80::34c2:e790:ed6:31ac
jun 17 11:51:23 silverbolt dhcpcd[798]: enp4s0: soliciting an IPv6 router
jun 17 11:51:23 silverbolt dhcpcd[798]: enp4s0: rebinding lease of 192.168.178.20
jun 17 11:51:27 silverbolt dhcpcd[798]: enp4s0: probing address 192.168.178.20/24
jun 17 11:51:32 silverbolt dhcpcd[798]: enp4s0: leased 192.168.178.20 for 864000 seconds
jun 17 11:51:32 silverbolt dhcpcd[798]: enp4s0: adding route to 192.168.178.0/24
jun 17 11:51:32 silverbolt dhcpcd[798]: enp4s0: adding default route via 192.168.178.1
jun 17 11:51:32 silverbolt dhcpcd[798]: forked to background, child pid 865
jun 17 11:51:37 silverbolt dhcpcd[865]: enp4s0: no IPv6 Routers available
jun 17 11:53:09 silverbolt dhcpcd[1081]: sending signal TERM to pid 865
jun 17 11:53:09 silverbolt dhcpcd[1081]: waiting for pid 865 to exit
jun 17 11:53:09 silverbolt dhcpcd[1081]: sending signal TERM to pid 865
jun 17 11:53:09 silverbolt dhcpcd[1081]: waiting for pid 865 to exit
jun 17 11:53:09 silverbolt dhcpcd[865]: received SIGTERM, stopping
jun 17 11:53:09 silverbolt dhcpcd[865]: enp4s0: removing interface
jun 17 11:53:09 silverbolt dhcpcd[865]: dhcpcd exited
$
boot with nftables disabled
$ journalctl -b -t dhcpcd
-- Logs begin at Sun 2018-12-02 03:11:59 CET, end at Mon 2019-06-17 15:33:06 CEST. --
jun 17 11:53:45 silverbolt dhcpcd[792]: enp4s0: waiting for carrier
jun 17 11:53:48 silverbolt dhcpcd[792]: enp4s0: carrier acquired
jun 17 11:53:48 silverbolt dhcpcd[792]: DUID 00:04:ac:c2:85:70:83:86:00:00:00:00:00:00:00:00:00:00
jun 17 11:53:48 silverbolt dhcpcd[792]: enp4s0: IAID c2:ac:86:81
jun 17 11:53:48 silverbolt dhcpcd[792]: enp4s0: adding address fe80::34c2:e790:ed6:31ac
jun 17 11:53:48 silverbolt dhcpcd[792]: enp4s0: rebinding lease of 192.168.178.20
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: soliciting an IPv6 router
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: Router Advertisement from fe80::eadf:70ff:fea5:680e
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: adding address 2001:980:d230:1:6d4a:21f8:6a16:b621/64
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: adding route to 2001:980:d230:1::/64
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: adding default route via fe80::eadf:70ff:fea5:680e
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: soliciting a DHCPv6 lease
jun 17 11:53:50 silverbolt dhcpcd[792]: enp4s0: DHCPv6 REPLY: in stateless mode
jun 17 11:53:50 silverbolt dhcpcd[792]: enp4s0: DHCPv6 REPLY: in stateless mode
jun 17 11:53:51 silverbolt dhcpcd[792]: forked to background, child pid 850
jun 17 11:53:52 silverbolt dhcpcd[850]: enp4s0: probing address 192.168.178.20/24
jun 17 11:53:57 silverbolt dhcpcd[850]: enp4s0: leased 192.168.178.20 for 864000 seconds
jun 17 11:53:57 silverbolt dhcpcd[850]: enp4s0: adding route to 192.168.178.0/24
jun 17 11:53:57 silverbolt dhcpcd[850]: enp4s0: adding default route via 192.168.178.1
Last edited by Lone_Wolf (2019-06-24 11:09:05)
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
Try to allow 546/UDP.
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
The "Simple stateful firewall" doesn't have rules that allow ICMPv6 traffic (and for ICMP it only allows the useless echo-request). Try adding the ICMPv6 rule from https://wiki.archlinux.org/index.php/Nf … 6_firewall .
Offline
No success with port 546, but the rule linked by nl6720 improves things .
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
The ethernet network card now does get an ipv6 address.
journal indicates ipv6 routes are added, but it seems they're deleted slightly later.
$ journalctl -b -t dhcpcd
-- Logs begin at Sun 2018-12-02 03:11:59 CET, end at Wed 2019-06-19 00:01:02 CEST. --
jun 18 23:41:44 silverbolt dhcpcd[782]: enp4s0: waiting for carrier
jun 18 23:41:47 silverbolt dhcpcd[782]: enp4s0: carrier acquired
jun 18 23:41:47 silverbolt dhcpcd[782]: DUID 00:04:ac:c2:85:70:83:86:00:00:00:00:00:00:00:00:00:00
jun 18 23:41:47 silverbolt dhcpcd[782]: enp4s0: IAID c2:ac:86:81
jun 18 23:41:47 silverbolt dhcpcd[782]: enp4s0: adding address fe80::34c2:e790:ed6:31ac
jun 18 23:41:47 silverbolt dhcpcd[782]: enp4s0: rebinding lease of 192.168.178.20
jun 18 23:41:47 silverbolt dhcpcd[782]: enp4s0: probing address 192.168.178.20/24
jun 18 23:41:48 silverbolt dhcpcd[782]: enp4s0: soliciting an IPv6 router
jun 18 23:41:49 silverbolt dhcpcd[782]: enp4s0: Router Advertisement from fe80::eadf:70ff:fea5:680e
jun 18 23:41:49 silverbolt dhcpcd[782]: enp4s0: adding address 2001:980:d230:1:6d4a:21f8:6a16:b621/64
jun 18 23:41:49 silverbolt dhcpcd[782]: enp4s0: adding route to 2001:980:d230:1::/64
jun 18 23:41:49 silverbolt dhcpcd[782]: enp4s0: adding default route via fe80::eadf:70ff:fea5:680e
jun 18 23:41:49 silverbolt dhcpcd[782]: enp4s0: soliciting a DHCPv6 lease
jun 18 23:41:50 silverbolt dhcpcd[782]: forked to background, child pid 844
jun 18 23:41:52 silverbolt dhcpcd[844]: enp4s0: leased 192.168.178.20 for 864000 seconds
jun 18 23:41:52 silverbolt dhcpcd[844]: enp4s0: adding route to 192.168.178.0/24
jun 18 23:41:52 silverbolt dhcpcd[844]: enp4s0: adding default route via 192.168.178.1
No idea why dhcpcd forks and overwrites already present routes.
Will try disabling dhcpcd services and see what happens when running dhcpcd manually .
Last edited by Lone_Wolf (2019-06-18 23:05:46)
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
I misinterpreted the output of dhcpcd and ip route.
I expected ip route to show all routes, but it only shows ipv4 routes.
to see ipv6 routes I need to explicitly ask for them, ip -6 route.
so dhcpcd didn't delete anything, there are 2 separate routing tables.
Thank you all for the help, marking as solved.
Last edited by Lone_Wolf (2019-06-24 11:09:49)
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline