Discussion:
[Shorewall-users] shorewall6 ipv6 does not support BROADCAST matching
Bruce S. Skinner
2013-11-11 02:00:06 UTC
Permalink
Gentlepeople,

Shorewall6 starts successfully, but during:
Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast...

the kernel issues the message:
xt_addrtype: ipv6 does not support BROADCAST matching

Distribution: Debian 7
kernel: 3.2.0
shorewall6 version: 4.5.5.3
shorewall config: /usr/share/doc/shorewall6/examples/two-interfaces

I didn't think there was any such thing as a broadcast address in ipv6,
just multicast and anycast addresses. Can someone shed some light on
what this all means?

The Broadcast chain looks like this.

Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all any any anywhere 2001:5c0:1505:f900::/128
0 0 DROP all any any anywhere 2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121
0 0 DROP all any any anywhere ff00::/8

Does this mean that datagrams addressed to:
the subnet router anycast address (2001:5c0:1505:f900::/128),
all other anycast addresses (2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121),
all multicast addresses (ff00::/8)
will be dropped? or not?

I'm not a Perl programmer, so be gentle with me, but
/usr/share/shorewall6/action.Broadcast references 3 destination types
BROADCAST, MULTICAST & ANYCAST. Am I correct in assuming that the 3
rules in the above broadcast chain apply to just 2 of the destination
types i.e. MULTICAST & ANYCAST?
Tom Eastep
2013-11-11 15:55:03 UTC
Permalink
Post by Bruce S. Skinner
Gentlepeople,
Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast...
xt_addrtype: ipv6 does not support BROADCAST matching
That message is the result of the Shorewall compiler probing your
ip6tables and kernel to determine what capabilities they support. As
indicated in the message, the 'addrtype match' capability is not available.
Post by Bruce S. Skinner
Distribution: Debian 7
kernel: 3.2.0
shorewall6 version: 4.5.5.3
shorewall config: /usr/share/doc/shorewall6/examples/two-interfaces
I didn't think there was any such thing as a broadcast address in ipv6,
just multicast and anycast addresses. Can someone shed some light on
what this all means?
The Shorewall6 action.Broadcast file is a near clone of the one for ipv4
and therefore references broadcast.
Post by Bruce S. Skinner
The Broadcast chain looks like this.
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all any any anywhere 2001:5c0:1505:f900::/128
0 0 DROP all any any anywhere 2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121
0 0 DROP all any any anywhere ff00::/8
Please never use the ip[6]tables command without the -n and the -V
options. Otherwise, the output is misleading and quite useless.
Post by Bruce S. Skinner
the subnet router anycast address (2001:5c0:1505:f900::/128),
all other anycast addresses (2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121),
all multicast addresses (ff00::/8)
will be dropped? or not?
It does if they are sent through the Broadcast chain. That chain is
jumped to from the Drop and Reject default actions. It prevents:

a) Multicast/anycast packets will not be logged.
b) Multicast/anycast packets will not be handled using the REJECT target.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Bruce S. Skinner
2013-11-11 17:29:59 UTC
Permalink
Thanks Tom, that clears up all the questions I had.

regards :-)
BruceS
Post by Tom Eastep
Post by Bruce S. Skinner
Gentlepeople,
Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast...
xt_addrtype: ipv6 does not support BROADCAST matching
That message is the result of the Shorewall compiler probing your
ip6tables and kernel to determine what capabilities they support. As
indicated in the message, the 'addrtype match' capability is not available.
Post by Bruce S. Skinner
Distribution: Debian 7
kernel: 3.2.0
shorewall6 version: 4.5.5.3
shorewall config: /usr/share/doc/shorewall6/examples/two-interfaces
I didn't think there was any such thing as a broadcast address in ipv6,
just multicast and anycast addresses. Can someone shed some light on
what this all means?
The Shorewall6 action.Broadcast file is a near clone of the one for ipv4
and therefore references broadcast.
Post by Bruce S. Skinner
The Broadcast chain looks like this.
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all any any anywhere 2001:5c0:1505:f900::/128
0 0 DROP all any any anywhere 2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121
0 0 DROP all any any anywhere ff00::/8
Please never use the ip[6]tables command without the -n and the -V
options. Otherwise, the output is misleading and quite useless.
Post by Bruce S. Skinner
the subnet router anycast address (2001:5c0:1505:f900::/128),
all other anycast addresses (2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121),
all multicast addresses (ff00::/8)
will be dropped? or not?
It does if they are sent through the Broadcast chain. That chain is
a) Multicast/anycast packets will not be logged.
b) Multicast/anycast packets will not be handled using the REJECT target.
-Tom
--
“Sixty years ago I knew everything; now I know nothing; education is a
progressive discovery of our own ignorance.” -- Will Durant

Bruce Skinner
Norstead Farm
1427 Prospect Rd.
Rockland NS
B0P 1V0
CANADA

Tel: + 1 902 538 1765
Mobile: + 1 902 670 6456
<mailto:***@norsteadfarm.ca>
<xmpp:***@jabber.org>

-- For "Big Brother" like (i.e. NSA, CSE, GCHQ) automata:
Rubin John Kerry kilo class Aldergrove World Trade Center Kennedy wire
transfer SAPO Ruby Ridge Cohiba Commecen EuroFed spies Merlin GCHQ
Loading...