LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 05-29-2017, 04:29 AM   #1
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,372
Blog Entries: 3

Rep: Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049
Getting dynamic IPv6 addresses in OpenBSD-current?


What is the right way currently to dynamically get IPv6 addresses in OpenBSD-current?

It used to be that one added a "rtsol" line to hostname.if
However, rtsol has been removed and not available for a long time:

https://cvsweb.openbsd.org/cgi-bin/c...r.sbin/rtsold/

There is currently no mention of inet6 or IPv6 in that context in the networking FAQ:

http://www.openbsd.org/faq/faq6.html

but it used to mention adding "inet6 autoconf" to hostname.if
 
Old 05-30-2017, 05:17 AM   #2
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 96

Rep: Reputation: 36
The autoconf option enables SLAAC autoconfiguration. From ifconfig(8):
Code:
     autoconf
             Enable stateless autoconfiguration (SLAAC), automatically
             configuring IPv6 addresses.  In this mode, router advertisements
             are accepted and periodic router solicitations are sent.
The hostname.if(5) man page describes this usage:
Code:
     IPv6 stateless address autoconfiguration:

           inet6 autoconf options

     The above format has the following field values:

           inet6       The address family.

           autoconf    The literal string "autoconf", to configure the
                       interface using IPv6 stateless address
                       autoconfiguration (SLAAC).

           options     Miscellaneous options to set on the interface, e.g.,
                       "media 100baseTX mediaopt full-duplex".  Valid options
                       for a particular interface type can be found in
                       ifconfig(8).
 
Old 05-30-2017, 05:34 AM   #3
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,372
Blog Entries: 3

Original Poster
Rep: Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049
Thanks. I should have mentioned that I've seen both of those. I'm at a loss as to what to do to restore IPv6 access. dhcp for IPv4 works fine.

On GNU/Linux machines on the same LAN I'm able to run ping6 to successfully contact external machines. So I know the network is set up correctly, or at least close to correctly.

On Openbsd -current, I can ping the loopback address via ping6 as well as the IPv6 addresses shown for that interface:

Code:
ifconfig cpsw0                                                               
cpsw0: flags=208843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu 1500
        lladdr zz:zz:zz:zz:zz:zz
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet 100baseTX full-duplex
        status: active
        inet6 yyyy::yyyy:yyyy:yyyy:yyyy%cpsw0 prefixlen 64 scopeid 0x1
        inet6 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf
        inet6 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 deprecated autoconf autoconfprivacy pltime 0 vltime 428721
        inet6 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 deprecated autoconf autoconfprivacy pltime 0 vltime 514688
        inet xx.xx.xx.xx netmask 0xffffff00 broadcast xx.xx.xx.xx
Does the route have to be set up manually?
 
Old 05-30-2017, 05:56 AM   #4
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 96

Rep: Reputation: 36
Quote:
Originally Posted by Turbocapitalist View Post
Code:
        inet6 yyyy::yyyy:yyyy:yyyy:yyyy%cpsw0 prefixlen 64 scopeid 0x1
That is your link-local address.
Code:
        inet6 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf
This appears to be a public, autoconfigured address that does not expire. This doesn't seem quite right to me -- however the deprecation of information may have obfuscated this. It doesn't seem correct to me because you also have these:
Code:
        inet6 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 deprecated autoconf autoconfprivacy pltime 0 vltime 428721
        inet6 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 deprecated autoconf autoconfprivacy pltime 0 vltime 514688
These are expired, autoconfigured addresses that do have lifespans. The default for OpenBSD autoconfigured addresses is with privacy, deprecated after 24 hours, and with a lifespan of 7 days.
Quote:
Does the route have to be set up manually?
It shouldn't, if router solicitations are sent and advertisements are received. A misconfigured PF could inadvertently block this traffic. Lots of folks (me included) have done this without realizing it.

Last edited by jggimi; 05-30-2017 at 05:57 AM.
 
Old 05-30-2017, 06:14 AM   #5
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,372
Blog Entries: 3

Original Poster
Rep: Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049
Quote:
Originally Posted by jggimi View Post
A misconfigured PF could inadvertently block this traffic. Lots of folks (me included) have done this without realizing it.
That might be it, though I have the bare minimum and it still blocks IPv6:

Code:
# pfctl -sr              
block return all
pass out all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010

# ping6 -c 1 -w 1 www.google.com
PING www.google.com (2a00:1450:400f:803::2004): 56 data bytes

--- www.google.com ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss

# pfctl -d                                                                     
pf disabled

# ping6 -c 1 -w 1 www.google.com 
PING www.google.com (2a00:1450:400f:803::2004): 56 data bytes
64 bytes from 2a00:1450:400f:803::2004: icmp_seq=0 hlim=55 time=34.178 ms

--- www.google.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 34.178/34.178/34.178/0.000 ms
 
Old 05-30-2017, 06:37 AM   #6
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 96

Rep: Reputation: 36
You are blocking all inbound traffic that does not already have an established state.

Try adding pass proto ipv6-icmp to your configuration.
 
1 members found this post helpful.
Old 05-30-2017, 07:15 AM   #7
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,372
Blog Entries: 3

Original Poster
Rep: Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049
Quote:
Originally Posted by jggimi View Post
You are blocking all inbound traffic that does not already have an established state.
Yes, I've been using an expanded version of those filter rules since the reworking of PF many years ago. It is my understanding that the outgoing packet establishes the state and that the return packet will be ok.

The same rules work fine with IPv4 ping(8) and used to work with ping6(8).

Quote:
Originally Posted by jggimi View Post
Try adding pass proto ipv6-icmp to your configuration.
Yes, that seems to work most of the time. Sometimes it doesn't. Strangely, ping6(8) continues to work for a while even after I reset the rules and flush everything:

Code:
# pfctl -F all; pfctl -ef pf.test.conf;  
rules cleared
0 tables deleted.
5 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
pfctl: pf already enabled

# pfctl -sr                                                                    
block return all
pass out inet all flags S/SA
pass out inet6 all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010

# ping6 -w 1 www.google.com              
PING www.google.com (2a00:1450:4005:801::2004): 56 data bytes
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=0 hlim=56 time=50.779 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=1 hlim=56 time=50.840 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=2 hlim=56 time=50.413 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=3 hlim=56 time=53.129 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=4 hlim=56 time=50.657 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=5 hlim=56 time=50.505 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=6 hlim=56 time=50.840 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=7 hlim=56 time=50.688 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=8 hlim=56 time=51.237 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=9 hlim=56 time=50.688 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=10 hlim=56 time=50.749 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=11 hlim=56 time=50.871 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=12 hlim=56 time=51.329 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=13 hlim=56 time=51.329 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=14 hlim=56 time=50.657 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=15 hlim=56 time=50.413 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=16 hlim=56 time=50.840 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=17 hlim=56 time=51.085 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=18 hlim=56 time=51.115 ms
64 bytes from 2a00:1450:4005:801::2004: icmp_seq=19 hlim=56 time=50.413 ms
^C
--- www.google.com ping statistics ---
20 packets transmitted, 20 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 50.413/50.929/53.129/0.576 ms

# ping6 -w 1 www.google.com 
PING www.google.com (2a00:1450:400f:807::2004): 56 data bytes
^C
--- www.google.com ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
 
Old 05-30-2017, 07:42 AM   #8
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 96

Rep: Reputation: 36
It is easy to track state for TCP, since it is a stateful protocol. But stateless protocols must use timers to track state. And anything that might appear outside of a timed state period (such as, perhaps, router advertisements) will be blocked.

If you add logging to your block rule, you could use tcpdump(8) with your pflog(4) device to see if any ICMPv6 or UDP packets are being blocked because they are considered outside of an established "state" period.

Last edited by jggimi; 05-30-2017 at 07:45 AM.
 
Old 05-31-2017, 02:20 AM   #9
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,372
Blog Entries: 3

Original Poster
Rep: Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049Reputation: 1049
Ok. Thanks for walking me through this. I'll have to finish looking through the documentation and release notes to see what changed with PF. But the IPv6 part by itself works as it should

Code:
$ cat /etc/hostname.cpsw0                                                      
dhcp
inet6 autoconf media 100baseTX mediaopt full-duplex
up

Last edited by Turbocapitalist; 05-31-2017 at 02:21 AM.
 
Old 05-31-2017, 05:20 AM   #10
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 96

Rep: Reputation: 36
Glad things are now working. The up directive isn't needed, but won't hurt. It happens automatically when an interface is assigned an address. In this case, that will happen when netstart(8) calls dhclient(8) via your dhcp directive.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Deleting global unicast ipv6 addresses on an interfaces does not remove neigbors/direct connect ipv6 hosts from kernel nd_tbl haldermi Linux - Networking 1 06-07-2016 02:28 PM
why do i have two global ipv6 addresses mpyusko Debian 6 02-05-2014 08:47 AM
LXer: Another IPv6 Crash Course For Linux: Real IPv6 Addresses, Routing, Name Services LXer Syndicated Linux News 0 04-21-2011 07:40 AM
openBSD 4.1 and ipv6 issue farkus888 *BSD 2 10-26-2007 07:53 AM
OpenBSD 3.8 + ipv6 mebae *BSD 3 04-03-2006 04:28 AM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 11:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration