[SOLVED] Strange behavior of firewall with IPv6

[Oliver Treck]

Hello.

I have an Proxmox4 Cluster with 3 Nodes connected with OpenvSwitch bridge.
A IPv4 Failover subnet and several IPv6 subnets gets routed to the vm's connected via ovs-bridge.

Firewall is activated and i would like to change default input policy to "DROP", but if i do so i can't ping IPv6 adressed of my vm's anymore.
Even if i define whole ipv6 subnet (dst and src) to "ACCEPT" on datacenter or host level.

I can see, that rules get defined in ip6tables and PVE-HOST-IN looks like:

Chain PVEFW-HOST-IN (1 references)
target prot opt source destination
ACCEPT all ::/0 ::/0
DROP all ::/0 ::/0 ctstate INVALID
ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
RETURN 2 ::/0 ::/0
RETURN all 2a01:4f8:xxx:xxx::/64 ::/0
RETURN all ::/0 2a01:4f8:xxx:xxx::/64
RETURN all ::/0 ::/0 match-set PVEFW-0-guest-nets-v6-v6 dst
RETURN icmpv6 ::/0 ::/0 match-set PVEFW-0-nodes-v6 dst ipv6-icmptype 128
RETURN tcp ::/0 ::/0 match-set PVEFW-0-nodes-v6 dst tcp dpt:22
RETURN tcp ::/0 ::/0 match-set PVEFW-0-nodes-v6 dst tcp dpt:8006
RETURN all ::/0 ::/0 match-set PVEFW-0-guest-nets-v6-v6 src
RETURN all ::/0 ::/0 match-set PVEFW-0-guest-nets-v6 src
RETURN all ::/0 ::/0 match-set PVEFW-0-nodes-v6 src
RETURN all ::/0 ::/0
RETURN tcp ::/0 ::/0 match-set PVEFW-0-management-v6 src tcp dpt:8006
RETURN tcp ::/0 ::/0 match-set PVEFW-0-management-v6 src tcp dpts:5900:5999
RETURN tcp ::/0 ::/0 match-set PVEFW-0-management-v6 src tcp dpt:3128
RETURN tcp ::/0 ::/0 match-set PVEFW-0-management-v6 src tcp dpt:22
PVEFW-Drop all ::/0 ::/0
NFLOG all ::/0 ::/0 nflog-prefix ":0:7VEFW-HOST-IN: policy DROP: "
DROP all ::/0 ::/0
all ::/0 ::/0 /* PVESIG:GLBLMHPfqV6d+AobtrfGMUmDfRA */

On pve-firewall-log i see lot's of lines like:

0 7 PVEFW-HOST-IN 15/Feb/2016:18:48:02 +0100 policy DROP: IN=eth0 MAC=50:46:5d:4d:1f:b8:00:26:88:75:c8:24:86:dd IPV6 logging not implemented

I tried several things, but nothing worked.

Does anyone have an idea what to do?

Kind regards,
Oliver

 

[wbumiller]

Because you're dropping NDP packets. Add the NeighborDiscovery macro to the allowed rules.
IPv6 uses NDP instead of ARP which works via IPv6 packets sent to link-local addresses, so even if you allow your entire subnet, it will not match link local addresses. You can either allow link-local traffic in general (fe80::/10) or just NDP.
(I'd go with NDP if your intention was not to allow the entire subnet because link-local addresses can be used for every other kind of communication as well.)

EDIT:
Ah, I didn't see that at first - how exactly did you change the input policy? Apparently not via the GUI? Because the GUI would end the firewall rules with a drop rule as opposed to a drop policy.
Our accept-policy-rule is 'return' (iow let whatever other firewall chains you may have configured manually do their job), so basically if you use `iptables -P DROP` you overrule all firewall rules we previously defined.

 

[Oliver Treck]

Thanks Wolfgang. That was the solution.
Didn't know that i have to allow NDP manually.

EDIT:
I used the GUI to change default input policy.

 

[wbumiller]

Ah okay. For the record, it's easier for us to see these things with the /etc/pve/firewall/* files or the whole output of ip6tables-save
Anyway, good to know it works now.