IPv6 bogons didn't update table when IPv6 enabled
-
The following log entries regarding bogons update appeared… the one about IPv6, however, is incorrect.
Apr 1 03:01:00 root rc.update_bogons.sh is starting up. Apr 1 03:01:00 root rc.update_bogons.sh is sleeping for 35853 Apr 1 12:58:33 root rc.update_bogons.sh is beginning the update cycle. Apr 1 12:58:34 root Bogons V4 file downloaded: 3759 addresses added. Apr 1 12:58:34 root Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off Apr 1 12:58:34 root rc.update_bogons.sh is ending the update cycle.
IPv6 Allow is on, and always has been. I have and use IPv6 on a daily basis, and all of my interfaces are configured, and it's working great too. Someone might want to check this script to make sure it's checking the right setting for IPv6 Allow…
-
That can be a misleading message as it just means your bogonsv6 table is empty. What do you get for:
pfctl -sTables | grep ^bogonsv6$ | wc -l | awk '{ print $1 }'
It still puts the file into place and it'll be applied on next filter reload in that instance, but sounds like there's something not right there.
-
[2.3-RC][root@gw.home]/root: pfctl -sTables | grep ^bogonsv6$ | wc -l | awk '{ print $1 }' 0 [2.3-RC][root@gw.home]/root:
-
What does your /etc/bogonsv6 file contain? Is bogonsv6 mentioned in /tmp/rules.debug?
-
/etc/bogonsv6 contains plenty… it extends well beyond the scrollback buffer of my SSH client.
Nothing referencing bogonsv6 in /tmp/rules.debug, but there is a line referencing /etc/bogons... that's all though.
-
Do you actually have block bogons enabled on any interface? It's only added to rules.debug where block bogons is enabled on an enabled interface.
-
Well, ya got me there… I don't have Block Bogons enabled on any interface... but given that... Why is the IPv4 file being loaded into the table if Block Bogons isn't enabled?
With my settings set the way they are, I would expect the Bogons table to either be empty, or have both IPv4 and v6 data in it. It shouldn't have one but not the other. All or nothing is how it should be since I have IPv6 allowed.
-
Originally the IPv6 bogons table was always loaded just like the v4 one is, but the v6 one is huge and was hitting people's table limits on systems with limited RAM (256 MB usually). So it was changed to only be loaded where it's necessary. The v4 one wasn't changed for that because it's trivially small.
I clarified the log it spits out in that case.
-
I can understand that the IPv6 list would be massive… in that case, it's understandable that it's not included unless necessary. :)
The log message was just confusing... and then the fact that IPv4 was present but IPv6 wasn't just added to it.
Thanks! :)