Router solicitation blocked, makes network-manager complain

Bug #1434525 reported by Franck on 2015-03-20
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
High
Unassigned

Bug Description

In Vivid, my syslog is full of complains by network-manager about blocked Router solicitation.

In my log, I get things like this:

...
Mar 20 12:47:04 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852024.960398] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1.
Mar 20 12:47:04 franck-ThinkPad-T430s kernel: [ 8209.218586] [UFW BLOCK] IN= OUT=wlan0 SRC=fe80:0000:0000:0000:2677:03ff:fe8a:47a0 DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0
Mar 20 12:47:05 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852025.959574] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1.
Mar 20 12:47:08 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852028.958727] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1.
Mar 20 12:47:09 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852029.958873] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1.
Mar 20 12:47:12 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852032.961342] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1.
Mar 20 12:47:13 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852033.959493] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1.
Mar 20 12:47:16 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852036.960008] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1.
Mar 20 12:47:17 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852037.959215] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1.
Mar 20 12:47:20 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852040.961811] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1.
Mar 20 12:47:21 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852041.958641] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1.
Mar 20 12:47:24 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852044.960743] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1.
Mar 20 12:47:24 franck-ThinkPad-T430s kernel: [ 8229.224325] [UFW BLOCK] IN= OUT=wlan0 SRC=fe80:0000:0000:0000:2677:03ff:fe8a:47a0 DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0
Mar 20 12:47:25 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852045.958895] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1.
Mar 20 12:47:28 franck-ThinkPad-T430s NetworkManager[1134]: <error> [1426852048.960527] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1.
...

and so on.

I have read through http://www.ietf.org/rfc/rfc4890.txt but this is a bit tougth, and I like ufw doing the job for me :-).

Here is the output of ip6tables --list :

Chain INPUT (policy DROP)
target prot opt source destination
ufw6-before-logging-input all anywhere anywhere
ufw6-before-input all anywhere anywhere
ufw6-after-input all anywhere anywhere
ufw6-after-logging-input all anywhere anywhere
ufw6-reject-input all anywhere anywhere
ufw6-track-input all anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ufw6-before-logging-forward all anywhere anywhere
ufw6-before-forward all anywhere anywhere
ufw6-after-forward all anywhere anywhere
ufw6-after-logging-forward all anywhere anywhere
ufw6-reject-forward all anywhere anywhere
ufw6-track-forward all anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ufw6-before-logging-output all anywhere anywhere
ufw6-before-output all anywhere anywhere
ufw6-after-output all anywhere anywhere
ufw6-after-logging-output all anywhere anywhere
ufw6-reject-output all anywhere anywhere
ufw6-track-output all anywhere anywhere

Chain ufw6-after-forward (1 references)
target prot opt source destination

Chain ufw6-after-input (1 references)
target prot opt source destination
ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:netbios-ns
ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:netbios-dgm
ufw6-skip-to-policy-input tcp anywhere anywhere tcp dpt:netbios-ssn
ufw6-skip-to-policy-input tcp anywhere anywhere tcp dpt:microsoft-ds
ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:dhcpv6-client
ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:dhcpv6-server

Chain ufw6-after-logging-forward (1 references)
target prot opt source destination
LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw6-after-logging-input (1 references)
target prot opt source destination
LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw6-after-logging-output (1 references)
target prot opt source destination
LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw6-after-output (1 references)
target prot opt source destination

Chain ufw6-before-forward (1 references)
target prot opt source destination
DROP all anywhere anywhere rt type:0 segsleft:0
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
ufw6-user-forward all anywhere anywhere

Chain ufw6-before-input (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
DROP all anywhere anywhere rt type:0 segsleft:0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmp echo-reply
ufw6-logging-deny all anywhere anywhere ctstate INVALID
DROP all anywhere anywhere ctstate INVALID
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
ACCEPT udp fe80::/10 fe80::/10 udp spt:dhcpv6-server dpt:dhcpv6-client
ACCEPT udp anywhere ff02::fb udp dpt:mdns
ACCEPT udp anywhere ff02::f udp dpt:1900
ufw6-user-input all anywhere anywhere

Chain ufw6-before-logging-forward (1 references)
target prot opt source destination

Chain ufw6-before-logging-input (1 references)
target prot opt source destination

Chain ufw6-before-logging-output (1 references)
target prot opt source destination

Chain ufw6-before-output (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
DROP all anywhere anywhere rt type:0 segsleft:0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ufw6-user-output all anywhere anywhere

Chain ufw6-logging-allow (0 references)
target prot opt source destination
LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw6-logging-deny (1 references)
target prot opt source destination
RETURN all anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw6-reject-forward (1 references)
target prot opt source destination

Chain ufw6-reject-input (1 references)
target prot opt source destination

Chain ufw6-reject-output (1 references)
target prot opt source destination

Chain ufw6-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all anywhere anywhere

Chain ufw6-skip-to-policy-input (6 references)
target prot opt source destination
DROP all anywhere anywhere

Chain ufw6-skip-to-policy-output (0 references)
target prot opt source destination
DROP all anywhere anywhere

Chain ufw6-track-forward (1 references)
target prot opt source destination

Chain ufw6-track-input (1 references)
target prot opt source destination

Chain ufw6-track-output (1 references)
target prot opt source destination

Chain ufw6-user-forward (1 references)
target prot opt source destination

Chain ufw6-user-input (1 references)
target prot opt source destination
ACCEPT udp anywhere anywhere multiport dports 6881:6882
ACCEPT tcp anywhere anywhere multiport dports 6881:6882

Chain ufw6-user-limit (0 references)
target prot opt source destination
LOG all anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all anywhere anywhere reject-with icmp6-port-unreachable

Chain ufw6-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all anywhere anywhere

Chain ufw6-user-logging-forward (0 references)
target prot opt source destination

Chain ufw6-user-logging-input (0 references)
target prot opt source destination

Chain ufw6-user-logging-output (0 references)
target prot opt source destination

Chain ufw6-user-output (1 references)
target prot opt source destination
ACCEPT tcp anywhere anywhere tcp dpt:ipp
ACCEPT udp anywhere anywhere udp dpt:ipp
ACCEPT tcp anywhere anywhere tcp dpt:domain
ACCEPT udp anywhere anywhere udp dpt:domain
ACCEPT udp anywhere anywhere udp dpt:bootps
ACCEPT tcp anywhere anywhere tcp dpt:https
ACCEPT tcp anywhere anywhere tcp dpt:http
ACCEPT tcp anywhere anywhere tcp dpt:imap2
ACCEPT tcp anywhere anywhere tcp dpt:ssh
ACCEPT tcp anywhere anywhere tcp dpt:postgresql
ACCEPT tcp anywhere anywhere tcp dpt:http-alt
ACCEPT udp anywhere anywhere multiport dports netbios-ns,netbios-dgm
ACCEPT tcp anywhere anywhere multiport dports netbios-ssn,microsoft-ds
ACCEPT tcp anywhere anywhere tcp dpt:l2f
ACCEPT tcp anywhere anywhere tcp dpt:imaps
ACCEPT tcp anywhere anywhere tcp dpt:git
ACCEPT tcp anywhere anywhere tcp dpt:whois
ACCEPT udp anywhere anywhere udp dpt:43
ACCEPT tcp anywhere anywhere tcp dpt:ircd
ACCEPT tcp anywhere anywhere tcp dpt:3389
ACCEPT udp anywhere anywhere multiport dports 6881:6882
ACCEPT tcp anywhere anywhere multiport dports 6881:6882

Maybe /etc/ufw/before6.rules should be adjusted ? (or maybe it's a bug in Network-manager?)

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: ufw 0.34~rc-0ubuntu5
ProcVersionSignature: Ubuntu 3.19.0-9.9-generic 3.19.1
Uname: Linux 3.19.0-9-generic x86_64
ApportVersion: 2.16.2-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Mar 20 12:43:56 2015
InstallationDate: Installed on 2014-12-13 (96 days ago)
InstallationMedia: Ubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.default.ufw: 2015-03-17T18:03:15.349146

Related branches

Franck (alci) wrote :
Franck (alci) wrote :

Adding allow router-solicatation and router-advertisement in before6-output seems to solve the problem.

It also seems pretty legit as of 4.3.3, 4.4.1 and A7 of http://www.ietf.org/rfc/rfc4890.txt

That said, I'm not a networking security expert, this needs reviewing :-)

The attachment "Allow router sollication before output" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ufw (Ubuntu):
status: New → Confirmed
Ceridwen (ceridwen) wrote :

Since I upgraded to 15.04 on my laptop, it will periodically lose connection to wifi. syslog fills up with:

May 2 08:32:46 sif NetworkManager[833]: <error> [1430569966.006933] [rdisc/nm-l
ndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -101.

When it last happened, I noticed that at one point there was a different message and after that the code after "router solicitation" changed:

May 2 09:32:44 sif NetworkManager[833]: (devices/nm-device.c:4675):nm_device_ac
tivate_ip6_config_commit: runtime check failed: (nm_platform_link_is_up (nm_devi
ce_get_ip_ifindex (self)))
May 2 09:32:46 sif NetworkManager[833]: <error> [1430573566.684329] [rdisc/nm-l
ndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -99.

I haven't found any way to fix the problem short of rebooting. When I tried restarting network manager manually using systemd, I started getting kernel errors, which may well not be related. I don't know enough to diagnose the problem myself, so if there's any other information that would be useful, I can provide it.

Changed in ufw (Ubuntu):
importance: Undecided → High
Marco van Zwetselaar (zwets) wrote :

Confirming that the patch in #2 solves the issue.

Changed in ufw (Ubuntu):
status: Confirmed → In Progress
micsu (micsu-z) wrote :

Could you help me how to solve this issue, plese?
I'm using Debian 8.1 stable and ipv6 support is disabled either in
a) /etc/default/ufw
    IPV6=no
b) /etc/sysctl.conf
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1
    net.ipv6.conf.eth0.disable_ipv6 = 1

Therefore I can not apply this:
    http://askubuntu.com/questions/596278/what-is-network-manager-trying-to-do-with-rdisc
    sudo ufw allow to ff02::2
    it says: "ERROR: IPv6 support not enabled"

Is the only one solution to compile ufw using patch in #2?
Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.34-0ubuntu1

---------------
ufw (0.34-0ubuntu1) wily; urgency=medium

  * New upstream release (LP: #1434525, LP: #1438647, LP: #1155292,
    Closes: 792753). Drop following patches included upstream:
    - 0002-lp1044361.patch
    - 0003-fix-typeerror-on-error.patch
    - 0004-lp1039729.patch
    - 0005-lp1191197.patch
  * Merge in Ubuntu packaging:
    - debian/ufw.postinst:
      + drop old reload of policy for upgrades to 0.30.1-2
      + add new ufw[6]-track-forward primary chains on upgrade
    - Install the SysV init and upstart script for both Debian and Ubuntu.
      Debian has upstart too, and in Ubuntu we need the init script for LSB
      dependencies and for systemd. (LP: #1341083)
      + Rename debian/ufw.init.debian to debian/ufw.init
      + Rename debian/ufw.upstart.ubuntu to debian/ufw.upstart
      + Remove all the distro specific code from debian/rules and just call
        dh_installinit (thus removing lsb-release from Build-Depends-Indep).
    - Drop the distro specific logrotate configs, and use the ubuntu one with
      "rotate" instead of "reload" everywhere, as Debian's rsyslog init also
      supports "rotate".
    - Add a systemd unit:
      + Add debian/ufw.service
      + Add dh-systemd build dep.
      + debian/rulles: Call dh_systemd_{enable,start}.
    - Don't include Debian version in the python module version (LP: #1465549)
  * debian/copyright: follow copyright-format/1.0
  * debian/po/pt_BR.po: add Brazilian Portuguese of debconf templates. Thanks
    to Adriano Rafael Gomes (Closes: 770453)
  * update debian/before[6].rules.md5sum
  * debian/ufw.lintian-overrides:
    - usr/share/ufw/after.init and before.init are intentionally not
      executable
    - we intentionally do not stop the firewall with init.d script
  * debian/control: Build-Depends-Indep on procps (needed by testsuite for
    sysctl)
  * debian/ufw.dirs, debian/rules: copy bash completions to
    /usr/share/bash-completion/completions
  * debian/rules: run 'make clean' after running the testsuite since the
    testsuite creates a build/ directory not that would be reused
  * debian/ufw.postrm: remove after.init and before.init on purge

 -- Jamie Strandboge <email address hidden> Thu, 20 Aug 2015 08:34:19 -0500

Changed in ufw (Ubuntu):
status: In Progress → Fix Released
Till Schäfer (till2-schaefer) wrote :

i have reported this upstream and it is now also fixed in master branch of NM:

https://bugzilla.gnome.org/show_bug.cgi?id=759596

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.