IPv6 Support

Printable View

Show 40 post(s) from this thread on one page

13-11-2009, 22:23
theMIROn

Quote:

Originally Posted by lly

May be kamil can consult us?

Hope so

Quote:

Originally Posted by lly

Moreover, I really aware moments below from Changelog:
Note: this could break deployments with some very old kernels, see more info at:
i.e. we should spend hours to find all such places due to our 2.4 kernel :(

Don't be afraid, we have the very fresh kernel. openwrt 2.4 uses it already, and there is notice about in changelog.
moreover i had to make same almost the changes for traceroute6 recently
13-11-2009, 23:21
wpte

I tried your file lly, but there isn't any sixtun coming up:(
maybe I should try make menuconf...
14-11-2009, 07:50
lly
Quote:

Originally Posted by wpte

I tried your file lly, but there isn't any sixtun coming up:(

Updated: seems to be my mistake - too hard week :( Right sequence for compile should be:
- cd src/gateway
- vi .config
- make oldconfig
- make
- make install
Updated2 13:26: More problems discovered:
1. ip6tables-save/ip6tables-restore missing - fixed in r802
2. "state" match missed in kernel for ipv6 - I need extra time to fix this
I'm going to hardcode following ipv6 firewall rules into rc:

Code:

# Disable processing of any RH0 packet ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP ip6tables -A INPUT -t filter -i lo -j ACCEPT ip6tables -A OUTPUT -t filter -o lo -j ACCEPT ip6tables -A FORWARD -t filter -o lo -j ACCEPT ip6tables -A OUTPUT -o sixtun -j ACCEPT ip6tables -A OUTPUT -o br0 -j ACCEPT ip6tables -A INPUT -i br0 -j ACCEPT # Allow ICMP (conditional?) ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -A OUTPUT -p icmpv6 -j ACCEPT ip6tables -A FORWARD -p icmpv6 -j ACCEPT # Allow Link-Local addresses ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT # Allow multicast ip6tables -A INPUT -s ff00::/8 -j ACCEPT ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

kamil - is it OK for the first step?
14-11-2009, 12:32
kamil

Quote:

Originally Posted by lly

I'm going to hardcode following ipv6 firewall rules into rc:

Code:

# Disable processing of any RH0 packet ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP ip6tables -A INPUT -t filter -i lo -j ACCEPT ip6tables -A OUTPUT -t filter -o lo -j ACCEPT ip6tables -A FORWARD -t filter -o lo -j ACCEPT ip6tables -A OUTPUT -o sixtun -j ACCEPT ip6tables -A OUTPUT -o br0 -j ACCEPT ip6tables -A INPUT -i br0 -j ACCEPT # Allow ICMP (conditional?) ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -A OUTPUT -p icmpv6 -j ACCEPT ip6tables -A FORWARD -p icmpv6 -j ACCEPT # Allow Link-Local addresses ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT # Allow multicast ip6tables -A INPUT -s ff00::/8 -j ACCEPT ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

kamil - is it OK for the first step?

yes, but i not see default policy:)

ps: scripts i'm tested in VirtualBox and iso rescuecd - http://rescuecd.pld-linux.org/downlo...RCDx86_297.iso :)
14-11-2009, 12:35
kamil

Quote:

Originally Posted by theMIROn

btw, shipped radvd is quite old - 0.7.3, here's the changelog up to the last 1.5
http://cvs.litech.org/viewcvs/radvd/CHANGES?view=markup
size comparsion:
radvd-0.7.3 58Kb, ~20Kb inside FW
radvd-1.5 91Kb, ~28Kb inside FW
Is it worth to?

radvd-0.7.x great works on my ASUS wl500g, but...
0.7.x - 2005
1.5.x - 2009
4 year:)
14-11-2009, 12:52
theMIROn

Quote:

Originally Posted by kamil

radvd-0.7.x great works on my ASUS wl500g, but...
0.7.x - 2005
1.5.x - 2009
4 year:)

I'm afraid that build date shouldn't be the main reason to update
14-11-2009, 13:11
lly

Quote:

Originally Posted by kamil

yes, but i not see default policy:)

default policy will be ACCEPT, for tests period at least. As I can understand - your sample firewall script not from Oleg's 1.9.2.7-10 (which based on 2.4 kernel too), isn't it?

Bad news - kernel 2.4.X don't support ipv6 connection tracking(ip6_conntrack) at all. And nobody done backport from 2.6 line :(

Also, I can't find ipv6 TCPMSS module for 2.4 ...

About radvd - many software developers increase versions too rapid, without real core functionality change, especially commercial software. So, I don't want to repair new bugs in new version due to incompatibility with our obsolete 2.4 kernel.
14-11-2009, 13:12
wpte

Quote:

Originally Posted by kamil

yes, but i not see default policy:)

default policy is always accept

or lly can add something like this into the beginning:

Quote:

POLICY="DROP"
ip6tables -P OUTPUT $POLICY
ip6tables -P INPUT $POLICY
ip6tables -P FORWARD $POLICY

I'm not sure how drop will work out, I always had bad luck with it, meaning that the tunnel was blocked:p
14-11-2009, 13:17
wpte

Quote:

Originally Posted by lly

Bad news - kernel 2.4.X don't support ipv6 connection tracking(ip6_conntrack) at all. And nobody done backport from 2.6 line :(

http://www.linux-ipv6.org/ml/usagi-users/msg02587.html

Quote:

But ip6_conntrack is highly independent, so I think it isn't difficult
to port it to Linux 2.4. Please try below.

maybe when there is more time we can give it a shot?:p
14-11-2009, 13:32
theMIROn

Quote:

Originally Posted by lly

"state" match missed in kernel for ipv6 - I need extra time to fix this

the onlly way is to backport it from 2.6. btw, we could even merge ipv4 and ipv6 modules/extensions to save space, like it was done in mainstream
14-11-2009, 13:36
lly

Quote:

Originally Posted by wpte

http://www.linux-ipv6.org/ml/usagi-users/msg02587.html
maybe when there is more time we can give it a shot?:p

I found this link. It is real task, but since nobody done it, seems to be it is not so easy.
Unfortunately, I haven't enough time to do this backport. We will be happy if someone send us patches against 2.4.3x.

What your opinion about significance of TCPMSS for ipv6?
14-11-2009, 16:36
theMIROn

Just set up ipv6 tunnel via http://tunnelbroker.net, works fine
http://ipv6.he.net/certification/cre...eMIROn&badge=3

btw, do we need following (for the first approach without detailed ifs names)?

iptables -I FORWARD -p ipv6 (-i/o sixtun/br0) - j ACCEPT
iptables -t nat -I POSTROUTING -p ! ipv6 ... -j MASQUERADE
14-11-2009, 16:41
kamil

Quote:

Originally Posted by lly

default policy will be ACCEPT, for tests period at least. As I can understand - your sample firewall script not from Oleg's 1.9.2.7-10 (which based on 2.4 kernel too), isn't it?
...

Oleg's 1.9.2.7-10 don't have ip6tables :)

My scripts write in other routers where base system is linux with kernel 2.6.x :)

Oleg's soft is poor support ipv6 (no mtr6, traceroute6, ip6tables)... but basic support have (ping6, firmaware 1.9.2.7-10 compiled with ipv6)... - i can't create scripts where base system not full support ipv6 (Oleg's firmware) :)
14-11-2009, 18:45
lly

Quote:

Originally Posted by theMIROn

btw, do we need following (for the first approach without detailed ifs names)?

iptables -t nat -I POSTROUTING -p ! ipv6 ... -j MASQUERADE

nat is absent for IPv6 :)

Quote:

Originally Posted by kamil

My scripts write in other routers where base system is linux with kernel 2.6.x :)

You are happy man :)
One more question - have you ever use TCPMSS for IPv6?
14-11-2009, 18:50
theMIROn

Quote:

Originally Posted by lly

nat is absent for IPv6 :)

yep, it's abs useless for that, in case or routed ipv6 range

Show 40 post(s) from this thread on one page