IPv6 bogons didn't update table when IPv6 enabled

MikeV7896

The following log entries regarding bogons update appeared… the one about IPv6, however, is incorrect.

Apr 1 03:01:00	root		rc.update_bogons.sh is starting up.
Apr 1 03:01:00	root		rc.update_bogons.sh is sleeping for 35853
Apr 1 12:58:33	root		rc.update_bogons.sh is beginning the update cycle.
Apr 1 12:58:34	root		Bogons V4 file downloaded: 3759 addresses added.
Apr 1 12:58:34	root		Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off
Apr 1 12:58:34	root		rc.update_bogons.sh is ending the update cycle.

IPv6 Allow is on, and always has been. I have and use IPv6 on a daily basis, and all of my interfaces are configured, and it's working great too. Someone might want to check this script to make sure it's checking the right setting for IPv6 Allow…

cmb

That can be a misleading message as it just means your bogonsv6 table is empty. What do you get for:

pfctl -sTables | grep ^bogonsv6$ | wc -l | awk '{ print $1 }'

It still puts the file into place and it'll be applied on next filter reload in that instance, but sounds like there's something not right there.

MikeV7896

[2.3-RC][root@gw.home]/root: pfctl -sTables | grep ^bogonsv6$ | wc -l | awk '{ print $1 }'
0
[2.3-RC][root@gw.home]/root:

cmb

What does your /etc/bogonsv6 file contain? Is bogonsv6 mentioned in /tmp/rules.debug?

MikeV7896

/etc/bogonsv6 contains plenty… it extends well beyond the scrollback buffer of my SSH client.

Nothing referencing bogonsv6 in /tmp/rules.debug, but there is a line referencing /etc/bogons... that's all though.

cmb

Do you actually have block bogons enabled on any interface? It's only added to rules.debug where block bogons is enabled on an enabled interface.

MikeV7896

Well, ya got me there… I don't have Block Bogons enabled on any interface... but given that... Why is the IPv4 file being loaded into the table if Block Bogons isn't enabled?

With my settings set the way they are, I would expect the Bogons table to either be empty, or have both IPv4 and v6 data in it. It shouldn't have one but not the other. All or nothing is how it should be since I have IPv6 allowed.

cmb

Originally the IPv6 bogons table was always loaded just like the v4 one is, but the v6 one is huge and was hitting people's table limits on systems with limited RAM (256 MB usually). So it was changed to only be loaded where it's necessary. The v4 one wasn't changed for that because it's trivially small.

I clarified the log it spits out in that case.

MikeV7896

I can understand that the IPv6 list would be massive… in that case, it's understandable that it's not included unless necessary. :)

The log message was just confusing... and then the fact that IPv4 was present but IPv6 wasn't just added to it.

Thanks! :)