ip6tables in KONG 36070M doesn't support REJECT?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
redson
DD-WRT Novice


Joined: 14 May 2018
Posts: 10

PostPosted: Thu Jul 26, 2018 17:37    Post subject: ip6tables in KONG 36070M doesn't support REJECT? Reply with quote
I'm using Yamaraj's adbhostgen and am running into an issue where DNS requests over https are causing websites to hang.

I'm able to use iptables to REJECT the https DNS requests on IPv4, but when I try to do the same for IPv6 it looks like dd-wrt doesn't support reject

Code:
root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables v1.3.7: Unknown arg `--reject-with'
Try `ip6tables -h' or 'ip6tables --help' for more information.
root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT
ip6tables v1.3.7: Couldn't find target `REJECT'

Try `ip6tables -h' or 'ip6tables --help' for more information.


Is this intentional? Is there a workaround?
Sponsor
redson
DD-WRT Novice


Joined: 14 May 2018
Posts: 10

PostPosted: Thu Jul 26, 2018 21:40    Post subject: Reply with quote
found out ip6t_REJECT & nf_reject_ipv6 needed to be loaded, but still no glory

Code:
root@router:~# lsmod | grep ipv6
nf_reject_ipv6          2224  1 ip6t_REJECT
nf_conntrack_ipv6       5419  2
nf_log_ipv6             3660  0
nf_defrag_ipv6         13159  1 nf_conntrack_ipv6
ipv6                  291117  28 nf_reject_ipv6,nf_conntrack_ipv6,nf_defrag_ipv6,shortcut_fe,sit,[permanent]
root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables v1.3.7: Unknown arg `--reject-with'
Try `ip6tables -h' or 'ip6tables --help' for more information.
root@router:~#


If anyone else has any experience getting reject working w/IPv6 I'd appreciate it!
Acumen
DD-WRT User


Joined: 15 Nov 2014
Posts: 221

PostPosted: Sat Jul 28, 2018 12:08    Post subject: Reply with quote
redson wrote:
found out ip6t_REJECT & nf_reject_ipv6 needed to be loaded, but still no glory

Code:
root@router:~# lsmod | grep ipv6
nf_reject_ipv6          2224  1 ip6t_REJECT
nf_conntrack_ipv6       5419  2
nf_log_ipv6             3660  0
nf_defrag_ipv6         13159  1 nf_conntrack_ipv6
ipv6                  291117  28 nf_reject_ipv6,nf_conntrack_ipv6,nf_defrag_ipv6,shortcut_fe,sit,[permanent]
root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables v1.3.7: Unknown arg `--reject-with'
Try `ip6tables -h' or 'ip6tables --help' for more information.
root@router:~#


If anyone else has any experience getting reject working w/IPv6 I'd appreciate it!


I used DROP instead, but that's of course not the same as REJECT.

_________________
Netgear WNDR4300v1 DD-WRT v3.0 BS r29837 | Netgear R6400 DD-WRT v3.0 KB r33525M | Tickets: 5429
IPv4 & IPv6-PD | ProFTP & Samba to USB thumb | DNSMasq DHCPv6 | Pi-Hole on RasPi

Found a bug, report it so the it can be fixed: http://svn.dd-wrt.com/
redson
DD-WRT Novice


Joined: 14 May 2018
Posts: 10

PostPosted: Sat Jul 28, 2018 16:34    Post subject: Reply with quote
Acumen wrote:

I used DROP instead, but that's of course not the same as REJECT.


Thanks for the suggestion! Tried setting it up, got the relevant rules in the table:

Code:
root@router:~# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0        anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     ipv6-icmp    anywhere             anywhere           
ACCEPT     0        fe80::/64            anywhere           
ACCEPT     0        anywhere             anywhere           
DROP       0        anywhere             anywhere           
[b]DROP       tcp      anywhere             anywhere           tcp dpt:https
DROP       udp      anywhere             anywhere           udp dpt:80
DROP       udp      anywhere             anywhere           udp dpt:443[/b]


Unfortunately the relevant connections still hang. I need to get REJECT going
redson
DD-WRT Novice


Joined: 14 May 2018
Posts: 10

PostPosted: Tue Jul 31, 2018 16:18    Post subject: Reply with quote
Still no luck on this, I'm surprised nobody is using ip6tables "REJECT" target.

Out of ideas, as a shotgun effort, I loaded every modules with '6' in its name.

Code:
# lsmod | grep 6
raid6_pq               86764  0
nls_cp936             120778  0
nf_nat_ipv6             3901  0
nf_dup_ipv6              996  0
l2tp_ip6                6084  0
l2tp_ip                 5145  1 l2tp_ip6
l2tp_core              12544  2 l2tp_ip6,l2tp_ip
ip6table_mangle         1034  0
ip6_udp_tunnel          1399  1 l2tp_core
ebt_ip6                 1674  0
ipcomp6                 1629  0
xfrm6_tunnel            2223  1 ipcomp6
xfrm6_mode_tunnel       1290  0
xfrm6_mode_transport      842  0
xfrm6_mode_beet         1290  0
ip6_tunnel             14136  0
tunnel6                 1691  2 xfrm6_tunnel,ip6_tunnel
mip6                    4044  0
ah6                     4732  0
esp6                    4855  0
ip6t_frag                970  0
ip6t_ipv6header         1162  0
ip6t_rpfilter           1226  0
ip6t_rt                 1610  0
ip6t_ah                  906  0
ip6t_REJECT             1098  0
nf_reject_ipv6          2224  1 ip6t_REJECT
nf_conntrack_ipv6       5419  3
nf_log_ipv6             3660  0
nf_defrag_ipv6         13159  1 nf_conntrack_ipv6
ip6table_filter          714  1
xfrm_ipcomp             2917  1 ipcomp6
xfrm6_mode_ro            695  0
xfrm_algo               3645  3 ah6,esp6,xfrm_ipcomp
ip_tunnel              10496  1 sit
tunnel4                 1628  1 sit
ipv6                  291117  46  nf_nat_ipv6,nf_dup_ipv6,l2tp_ip6,l2tp_core,ip6table_mangle,ipcomp6,
xfrm6_tunnel,xfrm6_mode_tunnel,xfrm6_mode_beet,ip6_tunnel,mip6,ah6,esp6,ip6t_rpfilter,
nf_reject_ipv6,nf_conntrack_ipv6,nf_defrag_ipv6,sit,[permanent]
ip6_tables              9405  2 ip6table_mangle,ip6table_filter
ext4                  308160  3
jbd2                   47256  1 ext4
mbcache                 6816  1 ext4
crc16                   1060  1 ext4
usb_storage            36813  4
scsi_mod               83369  3 usb_storage,sr_mod,sd_mod
xhci_plat_hcd           2116  0
xhci_pci                2568  0
ehci_pci                2826  0
switch_core             4866  1 switch_robo
#


Still doesn't know anything about the reject target:

Code:
# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT
ip6tables v1.3.7: Couldn't find target `REJECT'

Try `ip6tables -h' or 'ip6tables --help' for more information.
root@router:~#


Any suggestions or speculation welcome
Steffen M.
DD-WRT User


Joined: 23 Jan 2008
Posts: 50
Location: Ulm, Germany

PostPosted: Sun Jul 05, 2020 19:55    Post subject: Re: ip6tables in KONG 36070M doesn't support REJECT? Reply with quote
Hi redson,
redson wrote:
I'm able to use iptables to REJECT the https DNS requests on IPv4, but when I try to do the same for IPv6 it looks like dd-wrt doesn't support reject

[code]root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables v1.3.7: Unknown arg `--reject-with'
Try `ip6tables -h' or 'ip6tables --help' for more information.
root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT
ip6tables v1.3.7: Couldn't find target `REJECT'


This problem is still persistent in the most recent version of DD-WRT (v3.0-r43652 std (07/03/20)), at least in the branch for Broadcom devices (in my case: Netgear R7000P).

Therefore my question: Did you find any solution or any workaround if someone wants to actively reject IPv6 packets?

In my case, loading the kernel modules does not help, either. When using "strings" to search through the binary "/usr/sbin/ip6tables", I don't see any occurrences of "REJECT" there. When doing the same search in "/usr/sbin/iptables", there is a match for the "REJECT" target. So I suppose that the problem is in the binary which sets the rules.

Thank you very much in advance!

Kind regards,
Steffen
Steffen M.
DD-WRT User


Joined: 23 Jan 2008
Posts: 50
Location: Ulm, Germany

PostPosted: Wed Jul 08, 2020 10:58    Post subject: Reply with quote
I submitted the following ticket: https://svn.dd-wrt.com/ticket/7161
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Wed Jul 08, 2020 14:51    Post subject: Reply with quote
Should be fixed in an upcoming release.

https://svn.dd-wrt.com/changeset/43714

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Steffen M.
DD-WRT User


Joined: 23 Jan 2008
Posts: 50
Location: Ulm, Germany

PostPosted: Wed Jul 08, 2020 21:07    Post subject: Reply with quote
kernel-panic69 wrote:
Should be fixed in an upcoming release.

https://svn.dd-wrt.com/changeset/43714


Thanks a lot! Smile

Kind regards,
Steffen
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum