-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot send packets in one direction (other works) #78
Comments
It stopped working in the other direction as well, after I upgraded the VM from buster to bullseye. I suspect this upgrade to be at fault. Downgrading just the ipv6toolkit binary package does not fix the problem. |
Booting with the buster kernel, Linux 4.19.0-21-amd64 (4.19.249-2), does not magically fix this either. |
Incidentally… on the host system running bullseye, switching to a buster chroot does work!
|
(Workaround comment for https://github.com/orgs/community/discussions/23319 - please ignore.) |
Cc libpcap maintainers; context is #1016129 on debbugs.
From diffing around between a buster and a bullseye system, I could
track this bug down:
libpcap0.8:
1.10.0-2 500
500 http://deb.debian.org/debian bullseye/main amd64 Packages
1.10.0-2~bpo10+1 100
100 http://deb.debian.org/debian buster-backports/main amd64 Packages
1.8.1-6+deb10u1 500
500 http://deb.debian.org/debian buster/main amd64 Packages
Installing 1.10.0-2~bpo10+1 on buster breaks ipv6toolkit.
Installing 1.10.0-2~bpo10+1 on bullseye does not fix ipv6toolkit,
installing 1.8.1-6+deb10u1 on bullseye (which temporarily breaks
tcpdump) does fix ipv6toolkit.
So there’s either something in the newer libpcap that breaks
ipv6toolkit, or something in ipv6toolkit that’s not yet compatible
with newer libpcap.
bye,
//mirabilos
--
Yay for having to rewrite other people's Bash scripts because bash
suddenly stopped supporting the bash extensions they make use of
-- Tonnerre Lombard in #nosec
|
What happens if you run with (And why are those not ALWAYS reported? "Error while performing Neighbor Discovery for the Destination Address" and "Error while learning Souce Address and Next Hop" amount to "Something bad happened, but I'm not going to tell you what it was", which aren't very helpful if you want to try to make something bad not happen.) |
Guy Harris dixit:
What happens if you run with `-vv` which, it appears, will cause the
programs to report errors from libpcap calls?
Not more, unfortunately:
$ sudo tcp6 -i eth1 -d fec0::1 -y 500 -a 13 -P 600 -v -v -v -v -v
Error while performing Neighbor Discovery for the Destination Address
Error while learning Souce Address and Next Hop
Would an strace (3.6 MB) be useful, or do you prefer testing this
on your own Debian system/VM?
bye,
//mirabilos
--
21:49⎜<allamoox:#sendmail> I have a question guys,
⎜ Can I use my PC as SMTP server, I use Windows 7 .
⎜ Already googled and Installed IIS
⎜ but Still I can't send E-mail
|
On the bullseye kernel, a libpcap 1.8 works? |
Michael Richardson dixit:
On the bullseye kernel, a libpcap 1.8 works?
Yes.
I'm curious if on a buster kernel, a libpcap 1.10 works?
No.
bye,
//mirabilos
--
When he found out that the m68k port was in a pretty bad shape, he did
not, like many before him, shrug and move on; instead, he took it upon
himself to start compiling things, just so he could compile his shell.
How's that for dedication. -- Wouter, about my Debian/m68k revival
|
So either 1) running with four If it's 1), that would imply unlikely brokenness, so I'll assume it's 2), and, therefore, that no libpcap call reported an error. That means that the Neighbor Advertisement packet wasn't seen, either because 1) it wasn't sent, 2) it wasn't received, 3) it was received but didn't make it to the PF_PACKET socket or was dropped before the filtering, or 4) it was received, made it to the PF_PACKET socket, but didn't pass the capture filter. Did you run tcpdump or Wireshark while running tcp6, to see what traffic was sent by and received on the machine running tcp6? |
Guy Harris dixit:
Did you run tcpdump or Wireshark while running tcp6, to see what
traffic was sent by and received on the machine running tcp6?
I didn’t, but I can easily do that. I’m using…
sudo tcp6 -i eth1 -d fec0::1 -y 500 -a 13 -P 600
… as the test command, which I know used to work, since there were
quite a few I’ve tried, so to be clear which I use.
Note the 23:43:58 ones came in just as I pressed ^C and definitely
past the runtime of the tcp6 command. The link “should” be otherwise
idle, but things like Avahi are bound to create background traffic.
$ sudo tcpdump -evvlns 2000 -Xi eth1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 2000 bytes
23:43:53.682817 52:54:00:b7:47:b9 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::5054:ff:feb7:47b9 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fec0::1
source link-address option (1), length 8 (1): 52:54:00:b7:47:b9
0x0000: 5254 00b7 47b9
0x0000: 6000 0000 0020 3aff fe80 0000 0000 0000 `.....:.........
0x0010: 5054 00ff feb7 47b9 ff02 0000 0000 0000 PT....G.........
0x0020: 0000 0001 ff00 0001 8700 49d2 0000 0000 ..........I.....
0x0030: fec0 0000 0000 0000 0000 0000 0000 0001 ................
0x0040: 0101 5254 00b7 47b9 ..RT..G.
23:43:53.683167 52:54:00:76:0b:a6 > 52:54:00:b7:47:b9, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fec0::1 > fe80::5054:ff:feb7:47b9: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fec0::1, Flags [router, solicited, override]
destination link-address option (2), length 8 (1): 52:54:00:76:0b:a6
0x0000: 5254 0076 0ba6
0x0000: 6000 0000 0020 3aff fec0 0000 0000 0000 `.....:.........
0x0010: 0000 0000 0000 0001 fe80 0000 0000 0000 ................
0x0020: 5054 00ff feb7 47b9 8800 a369 e000 0000 PT....G....i....
0x0030: fec0 0000 0000 0000 0000 0000 0000 0001 ................
0x0040: 0201 5254 0076 0ba6 ..RT.v..
23:43:54.682914 52:54:00:b7:47:b9 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::5054:ff:feb7:47b9 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fec0::1
source link-address option (1), length 8 (1): 52:54:00:b7:47:b9
0x0000: 5254 00b7 47b9
0x0000: 6000 0000 0020 3aff fe80 0000 0000 0000 `.....:.........
0x0010: 5054 00ff feb7 47b9 ff02 0000 0000 0000 PT....G.........
0x0020: 0000 0001 ff00 0001 8700 49d2 0000 0000 ..........I.....
0x0030: fec0 0000 0000 0000 0000 0000 0000 0001 ................
0x0040: 0101 5254 00b7 47b9 ..RT..G.
23:43:54.683161 52:54:00:76:0b:a6 > 52:54:00:b7:47:b9, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fec0::1 > fe80::5054:ff:feb7:47b9: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fec0::1, Flags [router, solicited, override]
destination link-address option (2), length 8 (1): 52:54:00:76:0b:a6
0x0000: 5254 0076 0ba6
0x0000: 6000 0000 0020 3aff fec0 0000 0000 0000 `.....:.........
0x0010: 0000 0000 0000 0001 fe80 0000 0000 0000 ................
0x0020: 5054 00ff feb7 47b9 8800 a369 e000 0000 PT....G....i....
0x0030: fec0 0000 0000 0000 0000 0000 0000 0001 ................
0x0040: 0201 5254 0076 0ba6 ..RT.v..
23:43:55.682967 52:54:00:b7:47:b9 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::5054:ff:feb7:47b9 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fec0::1
source link-address option (1), length 8 (1): 52:54:00:b7:47:b9
0x0000: 5254 00b7 47b9
0x0000: 6000 0000 0020 3aff fe80 0000 0000 0000 `.....:.........
0x0010: 5054 00ff feb7 47b9 ff02 0000 0000 0000 PT....G.........
0x0020: 0000 0001 ff00 0001 8700 49d2 0000 0000 ..........I.....
0x0030: fec0 0000 0000 0000 0000 0000 0000 0001 ................
0x0040: 0101 5254 00b7 47b9 ..RT..G.
23:43:55.683294 52:54:00:76:0b:a6 > 52:54:00:b7:47:b9, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fec0::1 > fe80::5054:ff:feb7:47b9: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fec0::1, Flags [router, solicited, override]
destination link-address option (2), length 8 (1): 52:54:00:76:0b:a6
0x0000: 5254 0076 0ba6
0x0000: 6000 0000 0020 3aff fec0 0000 0000 0000 `.....:.........
0x0010: 0000 0000 0000 0001 fe80 0000 0000 0000 ................
0x0020: 5054 00ff feb7 47b9 8800 a369 e000 0000 PT....G....i....
0x0030: fec0 0000 0000 0000 0000 0000 0000 0001 ................
0x0040: 0201 5254 0076 0ba6 ..RT.v..
23:43:58.805988 52:54:00:76:0b:a6 > 52:54:00:b7:47:b9, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::5054:ff:fe76:ba6 > fe80::5054:ff:feb7:47b9: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::5054:ff:feb7:47b9
source link-address option (1), length 8 (1): 52:54:00:76:0b:a6
0x0000: 5254 0076 0ba6
0x0000: 6000 0000 0020 3aff fe80 0000 0000 0000 `.....:.........
0x0010: 5054 00ff fe76 0ba6 fe80 0000 0000 0000 PT...v..........
0x0020: 5054 00ff feb7 47b9 8700 92b7 0000 0000 PT....G.........
0x0030: fe80 0000 0000 0000 5054 00ff feb7 47b9 ........PT....G.
0x0040: 0101 5254 0076 0ba6 ..RT.v..
23:43:58.806029 52:54:00:b7:47:b9 > 52:54:00:76:0b:a6, ethertype IPv6 (0x86dd), length 78: (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::5054:ff:feb7:47b9 > fe80::5054:ff:fe76:ba6: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::5054:ff:feb7:47b9, Flags [solicited]
0x0000: 6000 0000 0018 3aff fe80 0000 0000 0000 `.....:.........
0x0010: 5054 00ff feb7 47b9 fe80 0000 0000 0000 PT....G.........
0x0020: 5054 00ff fe76 0ba6 8800 b130 4000 0000 ***@***.***
0x0030: fe80 0000 0000 0000 5054 00ff feb7 47b9 ........PT....G.
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
|
OK, try that again, but with tcpdump running with a filter of "icmp6 and ip6[7]==255 and ip6[40]==136 and ip6[41]==0". |
@guyharris here:
|
It sounds like if we have the capture that we can build a regression test that shows the different between 1.8 and 1.10, or are there kernel issues I'm missing? |
tcpdump with the filter - which is also the filter used by ipv6tools when looking for a Neighbor Advertisement - saw the Neighbor Advertisements, so the filter doesn't seem to be the problem. Presumably the version of ipv6tools used here has commit 03b0fdd from 2020, so it's not providing a timeout of 0 to |
Gotcha. It doesn’t: https://sources.debian.org/src/ipv6toolkit/2.0%2Bds.1-1/tools/libipv6.h/#L126 I’ll test locally if that fixes the issue; if so, it’s easy to backport, and I’ll take that to the maintainer. Updating ipv6toolkit in distros hits quite the snag in that ipv6toolkit upstream doesn’t publish released versions any more, apparently :/ Thank you for the debugging! Much appreciated. |
By the way, if you're willing to require libpcap 1.5 or later: The various packet batching mechanisms are oriented towards packet capture, where immediate delivery isn't a priority but reducing per-packet overhead is, so they accumulate a collection of packets and deliver them with one wakeup per collection (and, for non-memory-mapped capture, one copy per collection) rather than one per packet. What you're doing is implementing a tiny bit of ICMPv6 and directly sending packets on, and receiving packets from, a network interface; for that, you want immediate delivery and don't expect to get a huge number of packets, so reducing per-packet overhead isn't as important. You could use the |
@fgont is seen regularly at IETF, so I'll bug him this week. |
Apologies for the delay in getting back to you guys (shame on me!). I'll take a look at this tommorrow. |
tags 1016129 + patch buster bullseye bookworm sid
thanks
Upstream discussion managed to find the precise fix for pcap 1.10
compatibility that’s missing in Debian’s version:
#78 (comment)
debdiff (±version) attached. Would you prefer for me to NMU, do a
maintainer-agreed regular upload (as -2), or handle this yourself,
Octavio?
Tagging bullseye *and* buster because this must be fixed in these
releases as well:
• the bullseye package, as-is, is broken, so this is an RC fix there
• buster “as-is” works but if libpcap0.8 is upgraded, either via
buster-backports or by mixing buster and bullseye packages, it’ll
break (and we cannot retrofit a matching Breaks to libpcap0.8 in
bullseye any more now it’s released) so buster’s will either need
the patch applied or a versioned depends on libpcap0.8 (<< 1.10)
Will you communicate with the SRM or do you wish for me to handle that?
Thanks in advance,
//mirabilos
--
[17:15:07] Lukas Degener: Kleines Asterix-Latinum für Softwaretechniker:
veni, vidi, fixi(t) ;-)
diff -Nru ipv6toolkit-2.0+ds.1/debian/changelog ipv6toolkit-2.0+ds.1/debian/changelog
--- ipv6toolkit-2.0+ds.1/debian/changelog 2020-08-05 06:21:55.000000000 +0200
+++ ipv6toolkit-2.0+ds.1/debian/changelog 2022-07-31 21:43:23.000000000 +0200
@@ -1,3 +1,10 @@
+ipv6toolkit (2.0+ds.1-1.1~~) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Add upstream fix for pcap 1.10 compatibility (Closes: #1016129)
+
+ -- Thorsten Glaser ***@***.***> Sun, 31 Jul 2022 21:43:23 +0200
+
ipv6toolkit (2.0+ds.1-1) unstable; urgency=medium
* Refreshed patches using gbp pq export. Added:
diff -Nru ipv6toolkit-2.0+ds.1/debian/patches/03b0fdd42cf36c0070472afbb9b81a9ca62e1109.patch ipv6toolkit-2.0+ds.1/debian/patches/03b0fdd42cf36c0070472afbb9b81a9ca62e1109.patch
--- ipv6toolkit-2.0+ds.1/debian/patches/03b0fdd42cf36c0070472afbb9b81a9ca62e1109.patch 1970-01-01 01:00:00.000000000 +0100
+++ ipv6toolkit-2.0+ds.1/debian/patches/03b0fdd42cf36c0070472afbb9b81a9ca62e1109.patch 2022-07-31 21:43:17.000000000 +0200
@@ -0,0 +1,25 @@
+Applied-Upstream: commit:03b0fdd42cf36c0070472afbb9b81a9ca62e1109
+From: Fernando Gont ***@***.***>
+Subject: Set pcap timeout to 1 for all platforms.
+Author: Leonard Marschke (lmm-git)
+
+--- a/tools/libipv6.h
++++ b/tools/libipv6.h
+@@ -123,12 +123,17 @@ struct filters{
+ #define PCAP_NETMASK_UNKNOWN 0xffffffff
+ #endif
+
++/* XXX:
++At some point we were setting the timeout differently for different platforms. Should double-check, but doesn't seem to make sense.
++
+ #if defined (__FreeBSD__) || defined(__NetBSD__) || defined (__OpenBSD__) || defined(__APPLE__) || defined(__FreeBSD_kernel__) || defined(sun) || defined(__sun)
+ #define PCAP_TIMEOUT 1
+ #else
+ #define PCAP_TIMEOUT 0
+ #endif
++*/
+
++#define PCAP_TIMEOUT 1
+
+ #define PCAP_IPV6_FILTER "ip6"
+ #define PCAP_TCPV6_FILTER "ip6 and tcp"
diff -Nru ipv6toolkit-2.0+ds.1/debian/patches/series ipv6toolkit-2.0+ds.1/debian/patches/series
--- ipv6toolkit-2.0+ds.1/debian/patches/series 2020-08-05 06:21:55.000000000 +0200
+++ ipv6toolkit-2.0+ds.1/debian/patches/series 2022-07-31 21:42:09.000000000 +0200
@@ -5,3 +5,4 @@
0005-Silence-compiler-warnings.patch
0006-Silence-misleading-indentation-warnings.patch
0007-strncpy-len-must-include-the-terminating-nul-byte.patch
+03b0fdd42cf36c0070472afbb9b81a9ca62e1109.patch
|
On 31/07/22 14:57, Thorsten Glaser wrote:
debdiff (±version) attached. Would you prefer for me to NMU, do a
maintainer-agreed regular upload (as -2), or handle this yourself,
Octavio?
I can handle it. By the way, did the fix work for you?
• the bullseye package, as-is, is broken, so this is an RC fix there
• buster “as-is” works but if libpcap0.8 is upgraded, either via
buster-backports or by mixing buster and bullseye packages, it’ll
break (and we cannot retrofit a matching Breaks to libpcap0.8 in
bullseye any more now it’s released) so buster’s will either need
the patch applied or a versioned depends on libpcap0.8 (<< 1.10)
The proposed fix should work with both libpcap versions, so that should
be the way to go. I'll take a look at that too.
Will you communicate with the SRM or do you wish for me to handle that?
I may need help with that. I'll get back to you.
Thanks,
Octavio.
|
Octavio Alvarez dixit:
On 31/07/22 14:57, Thorsten Glaser wrote:
> debdiff (±version) attached. Would you prefer for me to NMU, do a
> maintainer-agreed regular upload (as -2), or handle this yourself,
> Octavio?
I can handle it. By the way, did the fix work for you?
Yes, the debdiff I attached works.
> Will you communicate with the SRM or do you wish for me to handle that?
I may need help with that. I'll get back to you.
OK.
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
|
Downstream bugtracker link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016129
I have a virtual machine on a host-only network. The configuration is thus:
I can do this:
But I cannot send packets in the other direction:
Misspelt error messages aside, why is this, even if I pass the source address? Neighbour discovery should work because…
It also doesn’t work when using link-local addresses, see the last attempt above.
The text was updated successfully, but these errors were encountered: