Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - lamaster

Pages: [1]

24.1 Legacy Series / Re: WITHOUT_INET6 yes, please

« on: March 09, 2024, 03:14:09 am »

Quote from: franco on March 06, 2024, 07:17:42 pm

What's our metric for detecting if IPv6 is compiled into libc? I don't even know to be honest.

Building with "WITHOUT_INET6=yes" option doesn't remove IPv6 protocols.

# sysctl -n kern.features.inet6
1

I'm not sure about libc metrics. I'm not a coder.
What I see is that ifconfig returns error for inet6 family.

# ifconfig -l inet6
ifconfig: Address family 'inet6' unknown.

Attached screenshots show differences in files between builds with inet6 and without.

I've opened issue on github: https://github.com/opnsense/core/issues/7309

Hope it helps.

Thanks

24.1 Legacy Series / Re: WITHOUT_INET6 yes, please

« on: March 05, 2024, 11:51:45 pm »

Quote from: Patrick M. Hausen on March 05, 2024, 10:13:49 pm

Fact.

Your usage of word "Fact" confuses me. You are stating facts about your network, I guess.

I don't have issues with global IPv6 adaption or IPv4 deprecation.
All your points maybe valid for your use case. Mine is different. I'm going to deploy firewall in very strict environment. There is nothing like you mentioned in your posts.
The issue I'm dealing with here is in my initial post.
Thanks

24.1 Legacy Series / Re: WITHOUT_INET6 yes, please

« on: March 05, 2024, 11:36:40 pm »

Quote from: franco on March 05, 2024, 09:38:57 pm

... you'd still have runtime issues with all services attempting to use IPv6 for internal reasons like e.g. Squid or binding to IPv6 by default ("::") which is sometimes more hardcoded than one may think.

I have some experience with sloppy coding that had hardcoded "::". Recompiled and moved on.
I'll try to deal with issues when they arise.

At this point I'm trying to deal with issue I described. I have nothing against auto-creation of rules and agree with your reasoning for them to exist (you expressed it in some other topic). But what I can't find myself understanding is why function that auto-creates firewall rules is done such way that it creates rules that make firewall fail.

Shouldn't there be some check for existence of IP before a rule IP is created?

24.1 Legacy Series / Re: WITHOUT_INET6 yes, please

« on: March 05, 2024, 09:11:39 pm »

Quote from: Patrick M. Hausen on March 05, 2024, 09:03:14 pm

Sorry for being so blunt. But that's a fact.

Thank you for your opinion. Fact is something else.

24.1 Legacy Series / WITHOUT_INET6 yes, please

« on: March 05, 2024, 08:57:29 pm »

Hi All,

First off all, I want to say thank you, OPNsense crew, for doing a great job and keeping it open-sourced!

Now to the issue I'm having.
I'd like to make my installation of OPNsense IPv6 free. I've checked all configuration solutions mentioned on this forum and non of them gave me what I want. So, I'm trying to build dvd.

After adding "WITHOUT_INET6=yes" to /usr/tools/config/24.1/src.conf I followed OPNsense tools' steps to build.

make clean-packages
make prefetch-packages dvd VERSION=24.1.2

After successful build I booted image and got "Configuring firewall.......failed."

Firewall log:

Code: [Select]

Error	firewall	There were error(s) loading the rules: no IP address found for fe80::/10	
Error	firewall	/usr/local/etc/rc.reload_all: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was 'no IP address found for fe80::/10 /tmp/rules.debug.old:53: could not parse host specification no IP address found for fe80::/10 /tmp/rules.debug.old:54: could not parse host specification no IP address found for ff02::/16 /tmp/rules.debug.old:55: could not parse host specification no IP address found for :: /tmp/rules.debug.old:56: could not parse host specification no IP address found for ff02::12 /tmp/rules.debug.old:61: could not parse host specification no IP address found for fe80::/10 /tmp/rules.debug.old:82: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded'

The errors caused by auto-generated rules.
Some digging and hacking (/usr/local/etc/inc/filter.lib.inc, filter.inc) fixed errors and everything looks ok, I think.

For some reason, firewall rules are auto-generating for IP addresses that do not exist in my system.

/tmp/ifconfig.debug

Code: [Select]

em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
        ether 3e:30:c3:6a:aa:aa
        inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
enc0: flags=0<> metric 0 mtu 1536
        groups: enc
pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33160
        groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
        syncpeer: 0.0.0.0 maxupd: 128 defer: off
        syncok: 1
        groups: pfsync

Could you please let me know what am I missing?
And, is building base and kernel enough to get rid of IPv6 or packages also have to be built?

I'm new to all of this. It would be great if somebody could help me out. Thanks in advance.

Pages: [1]