I am trying to configure an Alpine host to use DHCPv6 to obtain an IPv6
address. I have performed this task before using OpenWrt and Fedora.
On Alpine, it appears that the IPv6 firewall (ip6tables) prevents router
advertisements from working. I use "dhclient -6 ..."
Although the host receives the correct IPv6 address, the host does not
update its routing table if the IPv6 firewall is active. There are two
strange clues related to this:
(1) The router advertisements do not work even with a permissive IPv6
firewall configuration (allow everything).
(2) The kernel does not seem to log any firewall rejections, i.e., the
"pkts" fields in the output from "ip6tables -v -L" contain all zeros.
Likewise, I do not see any IPv6 rejections in /var/log/...
Yet things work when I deactivate the firewall (/etc/init.d/ip6tables
stop) and restart networking. In this case, my host updates its routing
table.
I see ICMPv6 "router solicitation" messages in Wireshark when the IPv6
firewall is off, but they do not appear when it is on.
I have been troubleshooting this for a while. Does anyone have any ideas
about what might be causing this or what else I ought to look at?
--
Mike
:wq
Hi Mike,
do you have IPFORWARD disabled ("no") in /etc/conf.d/ip6tables? See
https://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/.
BTW, I highly recommend to replace legacy ip(6)tables with its
successor, nftables. It has a much more expressive, structured
configuration format that supports e.g. variables and includes.
Moreover, the nftables package comes with a reasonable default set of
rules [1] and it’s prepared for modular configuration (i.e. you just
drop your rules into /etc/nftables.d/).
Jakub J.
[1]:
https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.nft
On 10/07/22 23:55, W. Michael Petullo wrote:
> I am trying to configure an Alpine host to use DHCPv6 to obtain an IPv6> address. I have performed this task before using OpenWrt and Fedora.> > On Alpine, it appears that the IPv6 firewall (ip6tables) prevents router> advertisements from working. I use "dhclient -6 ..."> > Although the host receives the correct IPv6 address, the host does not> update its routing table if the IPv6 firewall is active. There are two> strange clues related to this:> > (1) The router advertisements do not work even with a permissive IPv6> firewall configuration (allow everything).> > (2) The kernel does not seem to log any firewall rejections, i.e., the> "pkts" fields in the output from "ip6tables -v -L" contain all zeros.> Likewise, I do not see any IPv6 rejections in /var/log/...> > Yet things work when I deactivate the firewall (/etc/init.d/ip6tables> stop) and restart networking. In this case, my host updates its routing> table.> > I see ICMPv6 "router solicitation" messages in Wireshark when the IPv6> firewall is off, but they do not appear when it is on.> > I have been troubleshooting this for a while. Does anyone have any ideas> about what might be causing this or what else I ought to look at?>
>> I am trying to configure an Alpine host to use DHCPv6 to obtain an IPv6>> address. I have performed this task before using OpenWrt and Fedora.>> >> On Alpine, it appears that the IPv6 firewall (ip6tables) prevents router>> advertisements from working. I use "dhclient -6 ..."
[...]
> do you have IPFORWARD disabled ("no") in /etc/conf.d/ip6tables? See https://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/.
Very interesting!
After some time spent reading the source code for ifupdown-ng, I elected
to remove dhclient and install dhcpcd. The latter can interact with DHCP
and DHCPv6 in the same process, and thus ifupdown-ng suddenly does the
right thing for IPv6. Using dhclient had required a "post-up" kludge in
/etc/network/interfaces. Using dhcpcd seems to simplify things.
Back to Jakub's suggestion: I am still investigating, but the router
advertisements now work even though the host has forwarding on. I am
not sure why this is the case, but I suspect the dhcpcd arrangement is
better at getting things setup before the firewall activates.
I hope to experiment tomorrow to reach a stronger conclusion. Until then,
I would appreciate any input as to why dhcpcd seems to have fixed things
without turning off forwarding.
--
Mike
:wq
> I hope to experiment tomorrow to reach a stronger conclusion. Until then,> I would appreciate any input as to why dhcpcd seems to have fixed things> without turning off forwarding.
Actually, there seem to be some issues with dhcpcd and IPv6.
In default situations where only IPv4 interfaces are declared on
/etc/network/interfaces, with no IPv6 stances:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto wlan0
iface wlan0 inet dhcp
One can note IPv6 addresses are still being acquired as ip a shows, and
IPv4 networking gets into troubles (lots of erratic interruptions,
particularly noticeable in streaming applications on wifi). It seems
like IPv6 (probably failing if not supported by router or sth) takes
some precedence and keeps altering IPv4 networking.
Disabling IPv6:
sysctl -w net.ipv6.conf.eth0.disable_ipv6=1
sysctl -w net.ipv6.conf.wlan0.disable_ipv6=1
fixes the problem.
This might probably plead for some issues in default IPv6 routing
priorities & fallback.
One could also argue IPv6 addressing should not be started altogether
unless explicitly specified in /etc/network/interfaces stances [1].
Last, setup-interfaces could ask if IPv6 shall be enabled and set
relevant stances in /etc/network/interfaces accordingly.
Thoughts?
[1]
https://wiki.alpinelinux.org/wiki/Configure_Networking#IPv6_Stateless_Autoconfiguration