ip6tables limit+hf kernel extensions missing #2874

jens-maus · 2024-10-08T20:06:21Z

Vielen Dank für die prompte Rückmeldung. Ich bin der Ursache näher gekommen. Es werden nicht alle ip6tables Rules geladen, da das "limit" Modul nicht zur Verfügung steht.

ubuntu:~/Desktop$ diff -u homematic.txt homematic-raspi.txt 
--- homematic.txt	2024-10-08 16:37:43.786809889 +0200
+++ homematic-raspi.txt	2024-10-08 16:37:28.114841911 +0200
@@ -24,5 +24,11 @@
 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m state --state NEW -m limit --limit 15/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m state --state NEW -m limit --limit 15/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp6-port-unreachable
 COMMIT

Wenn ich ip6tables deaktiviere und noch mal versuche eine Adresse abzurufen funktioniert es:

root@homematic:~# ip6tables -P INPUT ACCEPT
root@homematic:~# ip6tables -F INPUT 
root@homematic:~# killall -q udhcpc
root@homematic:~# . /etc/config/netconfig
root@homematic:~# /sbin/udhcpc -b -t 20 -T 3 -S -x "hostname:${HOSTNAME}" -i eth0
udhcpc: started, v1.36.1
udhcpc: broadcasting discover
udhcpc: broadcasting select for 192.168.178.231, server 192.168.178.1
udhcpc: lease of 192.168.178.231 obtained from 192.168.178.1, lease time 864000
deleting routers
adding dns 192.168.178.1
root@homematic:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel qlen 1000
    link/ether xxxxxxxxxxxx brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.231/24 brd 192.168.178.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 xxxxxxxxxxxx/64 scope global dynamic flags 100 
       valid_lft 7098sec preferred_lft 1697sec
    inet6 fe80::xxxxxxxxxxxx/64 scope link 
       valid_lft forever preferred_lft forever

Alternativ kann man im GUI die Firewall-Policy auf "Ports offen" stellen.
Beim Versuch die fehlenden Zeilen im Regelwerk nachzuziehen kommt dieser Fehler:

root@homematic:~# ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m state --state NEW -m limit --limit 15/sec -j ACCEPT
Warning: Extension limit revision 0 not supported, missing kernel module?
ip6tables: No chain/target/match by that name.

Installiert ist die Version: 3.77.7.20240826

Eine Debian VM die an der selben Bridge hängt bekommt per "inet6 auto" eine IPv6 Adresse.

Originally posted by @mb-1408-de in #2871 (comment)

The text was updated successfully, but these errors were encountered:

jens-maus added the 🐛 bug-report Something isn't working label Oct 8, 2024

jens-maus added this to the next release milestone Oct 8, 2024

jens-maus closed this as completed in 1a6b257 Oct 8, 2024

jens-maus modified the milestones: next release, 3.79.6.20241031 Nov 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ip6tables limit+hf kernel extensions missing #2874

ip6tables limit+hf kernel extensions missing #2874

jens-maus commented Oct 8, 2024

ip6tables limit+hf kernel extensions missing #2874

ip6tables limit+hf kernel extensions missing #2874

Comments

jens-maus commented Oct 8, 2024