Dhcp6c - unable to get IPv6-PD "Operation not permitted"

alexc3122 · June 25, 2024, 2:43am

Hi there. I’ve got an issue that I haven’t been able to resolve and I’m not sure is a bug.

Context: I’m on AT&T Fiber and I recently migrated from 1.3-rolling to vyos-1.5-rolling-202406210019. My configuration was auto converted. On booting up, I noticed that I was not getting an IPv6 prefix delegation. I checked my system logs and I see the following:

Jun 23 15:51:15 gw01 dhcp6c[24710]: copy_option: set client ID (len 27)
Jun 23 15:51:15 gw01 dhcp6c[24710]: copyout_option: set identity association
Jun 23 15:51:15 gw01 dhcp6c[24710]: copy_option: set elapsed time (len 2)
Jun 23 15:51:15 gw01 dhcp6c[24710]: copy_option: set option request (len 4)
Jun 23 15:51:15 gw01 dhcp6c[24710]: client6_send: transmit failed: Operation not permitted
Jun 23 15:51:15 gw01 dhcp6c[24710]: dhcp6_reset_timer: reset a timer on eth0.0, state=SOLICIT, timeo=2, retrans=4283

I’ve simplified my configuration as much as possible to debug. I’ve narrowed it down to the the presence/absence of a few firewall configuration commands. This is my simplified config

set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy related action 'accept'
set interfaces ethernet eth0 eapol ca-certificate 'att-services'
set interfaces ethernet eth0 eapol certificate 'att-client'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:ac'
set interfaces ethernet eth0 mac 'xx:xx:xx:xx:xx:71'
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth0 vif 0 address 'dhcp'
set interfaces ethernet eth0 vif 0 address 'dhcpv6'
set interfaces ethernet eth0 vif 0 description 'WAN'
set interfaces ethernet eth0 vif 0 dhcp-options default-route-distance '210'
set interfaces ethernet eth0 vif 0 dhcpv6-options duid 'xx:xx:xx:xx:xx:e9:xx:xx:xx:xx:xx:36:xx:xx:xx:xx:xx:48:xx:xx:xx:xx:xx:38:32:38:39'
set interfaces ethernet eth0 vif 0 ipv6 address autoconf
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:ad'
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload sg
set interfaces ethernet eth1 offload tso
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:ae'
set interfaces ethernet eth2 offload gro
set interfaces ethernet eth2 offload gso
set interfaces ethernet eth2 offload sg
set interfaces ethernet eth2 offload tso
set interfaces ethernet eth3 address '192.168.100.1/24'
set interfaces ethernet eth3 description 'Local test network'
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:af'
set interfaces ethernet eth3 offload gro
set interfaces ethernet eth3 offload gso
set interfaces ethernet eth3 offload sg
set interfaces ethernet eth3 offload tso
set interfaces loopback lo
set nat source rule 10 description 'masquerade on WAN'
set nat source rule 10 outbound-interface name 'eth0.0'
set nat source rule 10 protocol 'all'
set nat source rule 10 translation address 'masquerade'
set pki ca server-ca-1 certificate ''
set pki ca server-ca-2 certificate ''
set pki ca att-services certificate ''
set pki certificate att-client certificate ''
set pki certificate att-client private key ''
set service dhcp-server shared-network-name local-testnet authoritative
set service dhcp-server shared-network-name local-testnet description 'Local test network'
set service dhcp-server shared-network-name local-testnet subnet 192.168.100.0/24 lease '3600'
set service dhcp-server shared-network-name local-testnet subnet 192.168.100.0/24 option default-router '192.168.100.1'
set service dhcp-server shared-network-name local-testnet subnet 192.168.100.0/24 option name-server '208.67.222.222'
set service dhcp-server shared-network-name local-testnet subnet 192.168.100.0/24 option name-server '208.67.220.220'
set service dhcp-server shared-network-name local-testnet subnet 192.168.100.0/24 range 0 start '192.168.100.10'
set service dhcp-server shared-network-name local-testnet subnet 192.168.100.0/24 range 0 stop '192.168.100.99'
set service dhcp-server shared-network-name local-testnet subnet 192.168.100.0/24 subnet-id '100'
set service ntp allow-client address '127.0.0.0/8'
set service ntp allow-client address '169.254.0.0/16'
set service ntp allow-client address '10.0.0.0/8'
set service ntp allow-client address '172.16.0.0/12'
set service ntp allow-client address '192.168.0.0/16'
set service ntp allow-client address '::1/128'
set service ntp allow-client address 'fe80::/10'
set service ntp allow-client address 'fc00::/7'
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh listen-address '192.168.100.1'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system domain-name xxxxxx
set system host-name xxxxxx
set system login user vyos authentication plaintext-password ''
set system name-server '208.67.222.222'
set system name-server '208.67.220.220'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set system time-zone 'America/Chicago'

If I remove the following three lines (or effective do delete firewall in the configuration shell):

set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy related action 'accept'

I’m able to get an IPv6 PD.

What am I missing in the firewall’s default behavior that is preventing the firewall from getting a prefix delegation?

n.fort · June 25, 2024, 10:16am

My bad. There’s was a error on latest implementation of raw tables in firewall: original task is ⚓ T3900 Add support for raw tables to firewall
Once fix was introduced last week for ipv4, but did not apply identical patch for ipv6: T3900: firewall: fix for initial implementation - remove jump to stat… · vyos/vyos-1x@7829229 · GitHub
I will submit one shortly.
Meanwhile, you can:

Delete invalid options for state policies. This rule is dropping what you need.
Edit file /usr/share/vyos/templates/firewall/nftables.j2 and replace line 242 with:

{%             if global_options.state_policy is vyos_defined and prior == 'filter' %}

alexc3122 · June 25, 2024, 12:54pm

Hey! Thanks for the quick reply. That’s good to know. I’ll look at trying out these options later tonight when I get home from work.

As for this, do I need to file an issue in Phabricator? Double checking in case I should since I don’t want to create a duplicate bug.

Thank you!

n.fort · June 25, 2024, 2:13pm

Please test and if it’s not fixed, it would be good to file an issue in phabricator.
By the way, fix was already merged, so next nightly build shouldn’t have this issue: T3900: extend latest fix for firewall raw implementation to ipv6. by nicolas-fort · Pull Request #3722 · vyos/vyos-1x · GitHub

Thisistheoldplan · June 25, 2024, 3:54pm

i’m on rolling and the patch worked for me.

alexc3122 · June 25, 2024, 11:59pm

I applied the patch to /usr/share/vyos/templates/firewall/nftables.j2 and rebooted. I can now get a IPv6 PD from my provider. I’m now looking forward to the next nightly build where this is fixed that I can install onto the host.

@n.fort Thank you for your help! I appreciate it.