Yes, I wouldn't expect it to be forwarded either. I just mentioned that so no
one would ask. I /would/ expect it to reach the mangle INPUT. Notice that ICMP
traffic doesn't make it to INPUT either.
mangle:
?COMMENT crazy printer DEBUG
# dhcp6 loop
DROP:P $NPIC770FE_mac - udp dhcpv6-server
Fixed it.
ISC dhcpdv4 uses raw sockets, which means it sees packets before iptables.
dhcpdv6 doesn't; thus I'm able to DROP.
For those interested in debugging in the mangle table, put DEBUG on the comment
lines of what you need to see; then shorewall(6) restart; then run
watch "ip6tables -t mangle -nvL | grep -E -e DEBUG -e 'Chain
tc(in|out|pre|post|for)'"
Every two seconds watch will run that command and you can watch the counters
increment.
Bill
On 4/19/2018 10:11 AM, Lennart Sorensen wrote:
On Wed, Apr 18, 2018 at 11:40:27AM -0400, Bill Shirley wrote:
The printer uses its fe80:: address to contact the DHCPv6 server which
is handing out 2001:470:?:?::/64 addresses.
The DROP in the mangle table worked.
I still would like to know why fe80:: traffic is neither forwarded nor sent
to the INPUT chain.
It is link local. It is not routable traffic. I am a bit surprised if
it doesn't reach the input chain.
Of course be aware that dhcp server bypasses a lot of the network stack
because it uses raw packets.
Firmware update: I don't want to go this route. The printer is happy
with its IPv4 address. It doesn't have to speak IPv6.
Does it have a setting on the printer to turn off IPv6 maybe?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
