OpenWrt/LEDE Project

  • Status Waiting on reporter
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity High
  • Priority Very Low
  • Reported Version lede-17.01
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by cypa - 24.10.2017

FS#1111 - I have fresh install on WR740N and I discovered ip6tables setup is empty

Supply the following if possible:
- Device problem occurs on — is TP-link WR740N
- Software versions of LEDE release, packages, etc. — base image no additional packages
- Steps to reproduce:

 

I have fresh install on WR740N and I discovered ip6tables setup is empty (”ip6tables –list -nv” shows everything is ACCEPTed), while ink-local fe80::... address is active on wan interface and web-interface listens on it since

$ netstat -apn
...
tcp 0 0 :::80 :::* LISTEN 754/uhttpd
...

cypa commented on 24.10.2017 16:02
root@lede:~# fw3 restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @redirect[0] has no target specified, defaulting to DNAT
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule #6
   * Rule #7
   * Redirect #0
   * Forward 'lan' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Redirect #0
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
Project Manager
Mathias Kresin commented on 25.10.2017 10:40

Please provide the informations you already were told to provide on IRC:

13:51:33 < jow> please pastebin /etc/config/firewall and the output of
                "ip6tables-save" too, while you're at it
14:03:02 < jow> you could open a bug report, but that would need the output of
                "ip6tables-save" and /etc/config/firewall too

For reference the relevant "ip6tables –list -nv" output of a freshly booted LEDE Reboot SNAPSHOT r5122-f7a6fd3153:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0                 /* !fw3 */
    0     0 input_rule  all      *      *       ::/0                 ::/0                 /* !fw3: user chain for input */
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 syn_flood  tcp      *      *       ::/0                 ::/0                 tcp flags:0x17/0x02 /* !fw3 */
    0     0 zone_lan_input  all      br-lan *       ::/0                 ::/0                 /* !fw3 */
    0     0 zone_wan_input  all      dsl0.7 *       ::/0                 ::/0                 /* !fw3 */

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp      *      *       ::/0                 ::/0                 /* !fw3 */ reject-with tcp-reset
    0     0 REJECT     all      *      *       ::/0                 ::/0                 /* !fw3 */ reject-with icmp6-port-unreachable

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 input_wan_rule  all      *      *       ::/0                 ::/0                 /* !fw3: user chain for input */
    0     0 ACCEPT     udp      *      *       fc00::/6             fc00::/6             udp dpt:546 /* !fw3: Allow-DHCPv6 */
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 130 code 0 /* !fw3: Allow-MLD */
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 131 code 0 /* !fw3: Allow-MLD */
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 132 code 0 /* !fw3: Allow-MLD */
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 143 code 0 /* !fw3: Allow-MLD */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4 code 0 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4 code 1 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 133 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 134 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
    0     0 zone_wan_src_REJECT  all      *      *       ::/0                 ::/0                 /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all      dsl0.7 *       ::/0                 ::/0                 /* !fw3 */

Looks pretty much as expected. Only IPv6 ICMP packages are accepted via wan.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing