[SOLVED] nftables simple stateful firewall blocks DHCPv6

Lone_Wolf · 2019-06-17 13:48:35

My provider gives me a full dual-stack ipv4 / ipv6 connection and I prefer to use IPv6 whenever possible.
I use dhcpcd to manage network connections.

I've setup firewall rules based on nftables - simple stateful firewall - single machine.

# nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ct state established,related accept
                iif "lo" accept
                ct state invalid drop
                ip protocol icmp icmp type echo-request ct state new accept
                ip protocol udp ct state new jump UDP
                ip protocol tcp tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP
                ip protocol udp reject
                ip protocol tcp reject with tcp reset
                meta nfproto ipv4 counter packets 11 bytes 396 reject with icmp type prot-unreachable
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }

        chain TCP {
                tcp dport 57152 accept
        }

        chain UDP {
                udp dport 57152 accept
        }
}
#

With those rules my network card does get IPv4 routes and an IPv4 address, but only an ipv6 addresss that starts with fe80:: ( link local address ?) .
When I disable nftables.service the card does get both ipv6 and ipv4 routes & addresses (Log snippets at bottom).

It does look like my ruleset is blocking too much, but I have no clue what rules I should add to allow dhcpv6 traffic.
Please help.

---------------

with nftables.service enabled

$ journalctl -b -1 -t dhcpcd
-- Logs begin at Sun 2018-12-02 03:11:59 CET, end at Mon 2019-06-17 15:33:06 CEST. --
jun 17 11:51:20 silverbolt dhcpcd[798]: enp4s0: waiting for carrier
jun 17 11:51:23 silverbolt dhcpcd[798]: enp4s0: carrier acquired
jun 17 11:51:23 silverbolt dhcpcd[798]: DUID 00:04:ac:c2:85:70:83:86:00:00:00:00:00:00:00:00:00:00
jun 17 11:51:23 silverbolt dhcpcd[798]: enp4s0: IAID c2:ac:86:81
jun 17 11:51:23 silverbolt dhcpcd[798]: enp4s0: adding address fe80::34c2:e790:ed6:31ac
jun 17 11:51:23 silverbolt dhcpcd[798]: enp4s0: soliciting an IPv6 router
jun 17 11:51:23 silverbolt dhcpcd[798]: enp4s0: rebinding lease of 192.168.178.20
jun 17 11:51:27 silverbolt dhcpcd[798]: enp4s0: probing address 192.168.178.20/24
jun 17 11:51:32 silverbolt dhcpcd[798]: enp4s0: leased 192.168.178.20 for 864000 seconds
jun 17 11:51:32 silverbolt dhcpcd[798]: enp4s0: adding route to 192.168.178.0/24
jun 17 11:51:32 silverbolt dhcpcd[798]: enp4s0: adding default route via 192.168.178.1
jun 17 11:51:32 silverbolt dhcpcd[798]: forked to background, child pid 865
jun 17 11:51:37 silverbolt dhcpcd[865]: enp4s0: no IPv6 Routers available
jun 17 11:53:09 silverbolt dhcpcd[1081]: sending signal TERM to pid 865
jun 17 11:53:09 silverbolt dhcpcd[1081]: waiting for pid 865 to exit
jun 17 11:53:09 silverbolt dhcpcd[1081]: sending signal TERM to pid 865
jun 17 11:53:09 silverbolt dhcpcd[1081]: waiting for pid 865 to exit
jun 17 11:53:09 silverbolt dhcpcd[865]: received SIGTERM, stopping
jun 17 11:53:09 silverbolt dhcpcd[865]: enp4s0: removing interface
jun 17 11:53:09 silverbolt dhcpcd[865]: dhcpcd exited
$

boot with nftables disabled

$ journalctl -b -t dhcpcd
-- Logs begin at Sun 2018-12-02 03:11:59 CET, end at Mon 2019-06-17 15:33:06 CEST. --
jun 17 11:53:45 silverbolt dhcpcd[792]: enp4s0: waiting for carrier
jun 17 11:53:48 silverbolt dhcpcd[792]: enp4s0: carrier acquired
jun 17 11:53:48 silverbolt dhcpcd[792]: DUID 00:04:ac:c2:85:70:83:86:00:00:00:00:00:00:00:00:00:00
jun 17 11:53:48 silverbolt dhcpcd[792]: enp4s0: IAID c2:ac:86:81
jun 17 11:53:48 silverbolt dhcpcd[792]: enp4s0: adding address fe80::34c2:e790:ed6:31ac
jun 17 11:53:48 silverbolt dhcpcd[792]: enp4s0: rebinding lease of 192.168.178.20
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: soliciting an IPv6 router
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: Router Advertisement from fe80::eadf:70ff:fea5:680e
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: adding address 2001:980:d230:1:6d4a:21f8:6a16:b621/64
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: adding route to 2001:980:d230:1::/64
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: adding default route via fe80::eadf:70ff:fea5:680e
jun 17 11:53:49 silverbolt dhcpcd[792]: enp4s0: soliciting a DHCPv6 lease
jun 17 11:53:50 silverbolt dhcpcd[792]: enp4s0: DHCPv6 REPLY: in stateless mode
jun 17 11:53:50 silverbolt dhcpcd[792]: enp4s0: DHCPv6 REPLY: in stateless mode
jun 17 11:53:51 silverbolt dhcpcd[792]: forked to background, child pid 850
jun 17 11:53:52 silverbolt dhcpcd[850]: enp4s0: probing address 192.168.178.20/24
jun 17 11:53:57 silverbolt dhcpcd[850]: enp4s0: leased 192.168.178.20 for 864000 seconds
jun 17 11:53:57 silverbolt dhcpcd[850]: enp4s0: adding route to 192.168.178.0/24
jun 17 11:53:57 silverbolt dhcpcd[850]: enp4s0: adding default route via 192.168.178.1

Last edited by Lone_Wolf (2019-06-24 11:09:05)

schard · 2019-06-17 14:06:43

Try to allow 546/UDP.

nl6720 · 2019-06-17 14:20:54

The "Simple stateful firewall" doesn't have rules that allow ICMPv6 traffic (and for ICMP it only allows the useless echo-request). Try adding the ICMPv6 rule from https://wiki.archlinux.org/index.php/Nf … 6_firewall .

Lone_Wolf · 2019-06-18 23:05:22

No success with port 546, but the rule linked by nl6720 improves things .

ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept

The ethernet network card now does get an ipv6 address.
journal indicates ipv6 routes are added, but it seems they're deleted slightly later.

$ journalctl -b -t dhcpcd
-- Logs begin at Sun 2018-12-02 03:11:59 CET, end at Wed 2019-06-19 00:01:02 CEST. --
jun 18 23:41:44 silverbolt dhcpcd[782]: enp4s0: waiting for carrier
jun 18 23:41:47 silverbolt dhcpcd[782]: enp4s0: carrier acquired
jun 18 23:41:47 silverbolt dhcpcd[782]: DUID 00:04:ac:c2:85:70:83:86:00:00:00:00:00:00:00:00:00:00
jun 18 23:41:47 silverbolt dhcpcd[782]: enp4s0: IAID c2:ac:86:81
jun 18 23:41:47 silverbolt dhcpcd[782]: enp4s0: adding address fe80::34c2:e790:ed6:31ac
jun 18 23:41:47 silverbolt dhcpcd[782]: enp4s0: rebinding lease of 192.168.178.20
jun 18 23:41:47 silverbolt dhcpcd[782]: enp4s0: probing address 192.168.178.20/24
jun 18 23:41:48 silverbolt dhcpcd[782]: enp4s0: soliciting an IPv6 router
jun 18 23:41:49 silverbolt dhcpcd[782]: enp4s0: Router Advertisement from fe80::eadf:70ff:fea5:680e
jun 18 23:41:49 silverbolt dhcpcd[782]: enp4s0: adding address 2001:980:d230:1:6d4a:21f8:6a16:b621/64
jun 18 23:41:49 silverbolt dhcpcd[782]: enp4s0: adding route to 2001:980:d230:1::/64
jun 18 23:41:49 silverbolt dhcpcd[782]: enp4s0: adding default route via fe80::eadf:70ff:fea5:680e
jun 18 23:41:49 silverbolt dhcpcd[782]: enp4s0: soliciting a DHCPv6 lease
jun 18 23:41:50 silverbolt dhcpcd[782]: forked to background, child pid 844
jun 18 23:41:52 silverbolt dhcpcd[844]: enp4s0: leased 192.168.178.20 for 864000 seconds
jun 18 23:41:52 silverbolt dhcpcd[844]: enp4s0: adding route to 192.168.178.0/24
jun 18 23:41:52 silverbolt dhcpcd[844]: enp4s0: adding default route via 192.168.178.1

No idea why dhcpcd forks and overwrites already present routes.
Will try disabling dhcpcd services and see what happens when running dhcpcd manually .

Last edited by Lone_Wolf (2019-06-18 23:05:46)

Lone_Wolf · 2019-06-24 11:08:30

I misinterpreted the output of dhcpcd and ip route.

I expected ip route to show all routes, but it only shows ipv4 routes.
to see ipv6 routes I need to explicitly ask for them, ip -6 route.

so dhcpcd didn't delete anything, there are 2 separate routing tables.

Thank you all for the help, marking as solved.

Last edited by Lone_Wolf (2019-06-24 11:09:49)

Arch Linux

#1 2019-06-17 13:48:35

[SOLVED] nftables simple stateful firewall blocks DHCPv6

#2 2019-06-17 14:06:43

Re: [SOLVED] nftables simple stateful firewall blocks DHCPv6

#3 2019-06-17 14:20:54

Re: [SOLVED] nftables simple stateful firewall blocks DHCPv6

#4 2019-06-18 23:05:22

Re: [SOLVED] nftables simple stateful firewall blocks DHCPv6

#5 2019-06-24 11:08:30

Re: [SOLVED] nftables simple stateful firewall blocks DHCPv6

Board footer