* IPv6 nft vs ip6tables - Local incompatibility ?
@ 2019-10-30 17:04 Daniel Huhardeaux
2019-10-30 17:18 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Daniel Huhardeaux @ 2019-10-30 17:04 UTC (permalink / raw)
To: netfilter
Hello,
I use nftables in a network where stations are under Ubuntu 18 or Debian
9/10.
IPv6 networks are:
2a01:YYY:ZZZ:10::9000/128
2a01:YYY:ZZZ:10::/64
ICMP rules on 2a01:YYY:ZZZ:10::4
chain output {
type filter hook output priority 0; policy drop;
oif "lo" accept
oif "lan" meta l4proto ipv6-icmp counter packets 0 bytes 0 accept
oif "lan" ct state established,related,new counter packets 0 bytes 0
accept
}
Pinging ipv6 addresses external to the network is working fine.
Pinging a local machine, doesn't matter in which lan, I get "ping
sendmsg: operation not permitted".
If I change policy to accept, I get
From 2a01:YYY:ZZZ:10::4 icmp_seq=1 Destination unreachable: Address
unreachable
If I switch to ip6tables
96 10892 ACCEPT icmpv6 lan * ::/0
2a01:729:16e:10::4
6 1008 ACCEPT icmpv6 lan * ::/0
::/0 ipv6-icmptype 134 HL match HL == 255
31 2232 ACCEPT icmpv6 lan * ::/0
::/0 ipv6-icmptype 135 HL match HL == 255
39 2496 ACCEPT icmpv6 lan * ::/0
::/0 ipv6-icmptype 136 HL match HL == 255
0 0 ACCEPT icmpv6 lan * ::/0
::/0 ipv6-icmptype 137 HL match HL == 255
I can ping machines from both lan.
Any clue ?
--
Daniel
TOOTAi Networks
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: IPv6 nft vs ip6tables - Local incompatibility ?
2019-10-30 17:04 IPv6 nft vs ip6tables - Local incompatibility ? Daniel Huhardeaux
@ 2019-10-30 17:18 ` Florian Westphal
2019-10-30 18:04 ` Daniel Huhardeaux
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2019-10-30 17:18 UTC (permalink / raw)
To: Daniel Huhardeaux; +Cc: netfilter
Daniel Huhardeaux <tech@tootai.net> wrote:
> Hello,
>
> I use nftables in a network where stations are under Ubuntu 18 or Debian
> 9/10.
>
> IPv6 networks are:
> 2a01:YYY:ZZZ:10::9000/128
> 2a01:YYY:ZZZ:10::/64
>
> ICMP rules on 2a01:YYY:ZZZ:10::4
>
> chain output {
> type filter hook output priority 0; policy drop;
> oif "lo" accept
> oif "lan" meta l4proto ipv6-icmp counter packets 0 bytes 0 accept
> oif "lan" ct state established,related,new counter packets 0 bytes 0
> accept
> }
>
> Pinging ipv6 addresses external to the network is working fine.
>
> Pinging a local machine, doesn't matter in which lan, I get "ping sendmsg:
> operation not permitted".
>
> If I change policy to accept, I get
> From 2a01:YYY:ZZZ:10::4 icmp_seq=1 Destination unreachable: Address
> unreachable
>
> If I switch to ip6tables
>
> 96 10892 ACCEPT icmpv6 lan * ::/0 2a01:729:16e:10::4
> 6 1008 ACCEPT icmpv6 lan * ::/0 ::/0
> ipv6-icmptype 134 HL match HL == 255
> 31 2232 ACCEPT icmpv6 lan * ::/0 ::/0
> ipv6-icmptype 135 HL match HL == 255
> 39 2496 ACCEPT icmpv6 lan * ::/0 ::/0
> ipv6-icmptype 136 HL match HL == 255
> 0 0 ACCEPT icmpv6 lan * ::/0 ::/0
> ipv6-icmptype 137 HL match HL == 255
>
> I can ping machines from both lan.
>
> Any clue ?
It looks like nft ruleset tests output, whereas ip6tables checks
input...
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: IPv6 nft vs ip6tables - Local incompatibility ?
2019-10-30 17:18 ` Florian Westphal
@ 2019-10-30 18:04 ` Daniel Huhardeaux
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Huhardeaux @ 2019-10-30 18:04 UTC (permalink / raw)
To: netfilter
Le 30/10/2019 à 18:18, Florian Westphal a écrit :
> Daniel Huhardeaux <tech@tootai.net> wrote:
>> Hello,
>>
>> I use nftables in a network where stations are under Ubuntu 18 or Debian
>> 9/10.
>>
>> IPv6 networks are:
>> 2a01:YYY:ZZZ:10::9000/128
>> 2a01:YYY:ZZZ:10::/64
>>
>> ICMP rules on 2a01:YYY:ZZZ:10::4
>>
>> chain output {
>> type filter hook output priority 0; policy drop;
>> oif "lo" accept
>> oif "lan" meta l4proto ipv6-icmp counter packets 0 bytes 0 accept
>> oif "lan" ct state established,related,new counter packets 0 bytes 0
>> accept
>> }
>>
>> Pinging ipv6 addresses external to the network is working fine.
>>
>> Pinging a local machine, doesn't matter in which lan, I get "ping sendmsg:
>> operation not permitted".
>>
>> If I change policy to accept, I get
>> From 2a01:YYY:ZZZ:10::4 icmp_seq=1 Destination unreachable: Address
>> unreachable
>>
>> If I switch to ip6tables
>>
>> 96 10892 ACCEPT icmpv6 lan * ::/0 2a01:729:16e:10::4
>> 6 1008 ACCEPT icmpv6 lan * ::/0 ::/0
>> ipv6-icmptype 134 HL match HL == 255
>> 31 2232 ACCEPT icmpv6 lan * ::/0 ::/0
>> ipv6-icmptype 135 HL match HL == 255
>> 39 2496 ACCEPT icmpv6 lan * ::/0 ::/0
>> ipv6-icmptype 136 HL match HL == 255
>> 0 0 ACCEPT icmpv6 lan * ::/0 ::/0
>> ipv6-icmptype 137 HL match HL == 255
>>
>> I can ping machines from both lan.
>>
>> Any clue ?
>
> It looks like nft ruleset tests output, whereas ip6tables checks
> input...
>
My bad, I paste the wrong output :(
Anyway, I found the problem: flushing ip6tables rules is not enough to
disable ip6tables, you have to unload modules too. All nftables machines
where rebooted and now all is good.
Thanks for your help
--
TOOTAi Networks
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-10-30 18:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-10-30 17:04 IPv6 nft vs ip6tables - Local incompatibility ? Daniel Huhardeaux
2019-10-30 17:18 ` Florian Westphal
2019-10-30 18:04 ` Daniel Huhardeaux
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.