WITHOUT_INET6 yes, please

Started by lamaster, March 05, 2024, 08:57:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 05, 2024, 08:57:29 PM Last Edit: March 05, 2024, 09:03:13 PM by lamaster
Hi All,

First off all, I want to say thank you, OPNsense crew, for doing a great job and keeping it open-sourced!

Now to the issue I'm having.
I'd like to make my installation of OPNsense IPv6 free. I've checked all configuration solutions mentioned on this forum and non of them gave me what I want. So, I'm trying to build dvd.

After adding "WITHOUT_INET6=yes" to /usr/tools/config/24.1/src.conf I followed OPNsense tools' steps to build.

make clean-packages
make prefetch-packages dvd VERSION=24.1.2

After successful build I booted image and got "Configuring firewall.......failed."

Firewall log:
Code Select
Error firewall There were error(s) loading the rules: no IP address found for fe80::/10
Error firewall /usr/local/etc/rc.reload_all: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was 'no IP address found for fe80::/10 /tmp/rules.debug.old:53: could not parse host specification no IP address found for fe80::/10 /tmp/rules.debug.old:54: could not parse host specification no IP address found for ff02::/16 /tmp/rules.debug.old:55: could not parse host specification no IP address found for :: /tmp/rules.debug.old:56: could not parse host specification no IP address found for ff02::12 /tmp/rules.debug.old:61: could not parse host specification no IP address found for fe80::/10 /tmp/rules.debug.old:82: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded'


The errors caused by auto-generated rules.
Some digging and hacking (/usr/local/etc/inc/filter.lib.inc, filter.inc) fixed errors and everything looks ok, I think.

For some reason, firewall rules are auto-generating for IP addresses that do not exist in my system.

/tmp/ifconfig.debug
Code Select
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
        ether 3e:30:c3:6a:aa:aa
        inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
enc0: flags=0<> metric 0 mtu 1536
        groups: enc
pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33160
        groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
        syncpeer: 0.0.0.0 maxupd: 128 defer: off
        syncok: 1
        groups: pfsync


Could you please let me know what am I missing?
And, is building base and kernel enough to get rid of IPv6 or packages also have to be built?

I'm new to all of this. It would be great if somebody could help me out. Thanks in advance.
March 05, 2024, 09:03:14 PM #1
Quote from: lamaster on March 05, 2024, 08:57:29 PM
Could you please let me know what am I missing?
It's 2024. There is no Internet and no isolated network without IPv6. All devices you bring into your network will run IPv6 - Windows, Mac OS, IOS, Android, ... IPv4 is legacy. Deal with it.

Sorry for being so blunt. But that's a fact.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 05, 2024, 09:11:39 PM #2
Quote from: Patrick M. Hausen on March 05, 2024, 09:03:14 PM
Sorry for being so blunt. But that's a fact.

Thank you for your opinion. Fact is something else.

March 05, 2024, 09:38:57 PM #3
Turning off IPv6 support in the FreeBSD sources has detrimental effects on the ports build and user facing configuration.

Even if you can get the core to stop all processing of IPv6 and get all of the ports to compile with it you'd still have runtime issues with all services attempting to use IPv6 for internal reasons like e.g. Squid or binding to IPv6 by default ("::") which is sometimes more hardcoded than one may think.

I think if you turn off IPv6 in the FreeBSD source you shouldn't use anything else but the FreeBSD source tree and base system, which OPNsense is not because its scope is also the ports tree and elaborate configuration management.


Cheers,
Franco
March 05, 2024, 10:13:49 PM #4
Quote from: lamaster on March 05, 2024, 09:11:39 PM
Thank you for your opinion. Fact is something else.
Even without any firewall or router in place as soon as you connect a Windows 10 system or a Mac to some switch, they will have an IPv6 link-local address. If you use mDNS or similar for service discovery, all current systems will communicate via IPv6 instead of IPv4. Use "Network Neighbourhood" to discover your printer and print to it? IPv6 unless your printer is 20 years old. Fact.

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 05, 2024, 11:36:40 PM #5
Quote from: franco on March 05, 2024, 09:38:57 PM... you'd still have runtime issues with all services attempting to use IPv6 for internal reasons like e.g. Squid or binding to IPv6 by default ("::") which is sometimes more hardcoded than one may think.

I have some experience with sloppy coding that had hardcoded "::". Recompiled and moved on.
I'll try to deal with issues when they arise.

At this point I'm trying to deal with issue I described. I have nothing against auto-creation of rules and agree with your reasoning for them to exist (you expressed it in some other topic). But what I can't find myself understanding is why function that auto-creates firewall rules is done such way that it creates rules that make firewall fail.

Shouldn't there be some check for existence of IP before a rule IP is created?
March 05, 2024, 11:51:45 PM #6
Quote from: Patrick M. Hausen on March 05, 2024, 10:13:49 PM
Fact.
Your usage of word "Fact" confuses me.  You are stating facts about your network, I guess.

I don't have issues with global IPv6 adaption or IPv4 deprecation.
All your points maybe valid for your use case. Mine is different. I'm going to deploy firewall in very strict environment. There is nothing like you mentioned in your posts.
The issue I'm dealing with here is in my initial post.
Thanks
March 06, 2024, 07:14:37 PM #7
Code Select
And, is building base and kernel enough to get rid of IPv6 or packages also have to be built?

Just my 0,50 €:
You obviously found a bug. Nowadays software implicates so much about IPv6 that the mentioned building flag breaks the build and should either be fixed or removed. I'd go with removed. Trying to build a non-IPv6 aware software in this decade is a waste of time. But feel free to run your own.

Yes, opinion.
March 06, 2024, 07:17:42 PM #8
What's our metric for detecting if IPv6 is compiled into libc? I don't even know to be honest.


Cheers,
Franco
March 09, 2024, 03:14:09 AM #9
Quote from: franco on March 06, 2024, 07:17:42 PM
What's our metric for detecting if IPv6 is compiled into libc? I don't even know to be honest.
Building with "WITHOUT_INET6=yes" option doesn't remove IPv6 protocols.

# sysctl -n kern.features.inet6
1

I'm not sure about libc metrics. I'm not a coder.
What I see is that ifconfig returns error for inet6 family.

# ifconfig -l inet6
ifconfig: Address family 'inet6' unknown.

Attached screenshots show differences in files between builds with inet6 and without.

I've opened issue on github: https://github.com/opnsense/core/issues/7309

Hope it helps.

Thanks
Print
Go Up Pages1
User actions