Open Fail-Safe opened 3 days ago
ubus call system board
What made you think routing is affected?
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.35",
"hostname": "OpenWrt",
"system": "Intel(R) N100",
"model": "AZW EQ",
"board_name": "azw-eq",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r26816-55bda9863d",
"target": "x86/64",
"description": "OpenWrt SNAPSHOT r26816-55bda9863d"
}
}
I'm not definitively saying routing was affected. But I could successfully ping6 the IPv6 LL address of my OpenWrt gateway (the box I provided details for above) from my client hosts. But I could not ping6 any IPv6 hops beyond this gateway while the ruleset statements in my OP were in place. As soon as I stopped and then restarted the firewall service, thus removing that ruleset, I could immediately regain IPv6 connectivity through the gateway to internet hosts.
Looks like this issue is the root cause https://github.com/openwrt/packages/issues/17766
iptables-nft-save and ip6tables-nft-save are needed along with full nft list ruleset
Current exerpts do not list source of compat warning or forward chain defaulting to drop packets.
EDIT: there is a slim hope issue can be fixed changing one or two dependencies
Maintainer: @G-M0N3Y-2503 Environment:
Description:
When the dockerd service starts (or restarts) it adds the following configuration to the nft ruleset:
This breaks IPv6 forwarding/routing from all of my client subnets on my OpenWrt box. Also, the OpenWrt web UI indicates "Legacy rules detected" in the Firewall section while the above rules are in the ruleset.
To restore IPv6 functionality for my client subnets, I have to run
/etc/init.d/firewall stop && /etc/init.d/firewall start
. After stop & start of the firewall service, the above rules are no longer in the nftables ruleset and IPv6 again works properly for my clients.Is there a configuration option in my dockerd config that is incorrect or missing? Or is this a bug?