0

We have a setup where a program on a linux server controls its linux subordinates (talks to them via TCP and UDP).

There are several groups of subordinates. Each group is connected via ethernet to a single network interface card on the server.

It is important to tell the groups apart.

Subordinates can go missing (they get broken), and should be hot-pluggable (broken ones are replaced with new ones and the server should see them within a minute or so).

Typically we will have only few subordinates (1-5).

What is the best practice to do such discovery?

My first attempt was to simply ping and filter the result via

ping6 ff02::1%wlp3s0

but only the server itself is answering. Strangely it works on my android tablet, and wireshark also sees ping replies from the other devices, but there is nothing in the ping output. I can ping unicast though. (I tested on my mint notebook, but why would it be reliable on the ubuntu server if it's not on the test machine? Can it depend on the nic driver? i've had issues with the wifi sometimes.)

I also had attempts with sending a multi cast udp package (is that even possible?), but it wasn't successful even locally:

// terminal a: $ nc -6luv 10000 Listening on [:::] (family 10, port 10000) //terminal b: $ echo "blah" | nc -6uv "ff01::1%wlp3s0" 10000 nc: getaddrinfo: Name or service not known $ echo "blah" | nc -6uv -q1 "ff02::1%wlp3s0" 10000 Connection to ff02::1%wlp3s0 10000 port [udp/*] succeeded! // nothing on terminal a

Any other ideas?

Somebody said in the comments it could be ip6tables rules. I didn't change the default linux mint rules, output of ip6tables is here: It's quite long and I have little experience with reading it. Any help?

Chain INPUT (policy DROP) target prot opt source destination ufw6-before-logging-input all anywhere anywhere ufw6-before-input all anywhere anywhere ufw6-after-input all anywhere anywhere ufw6-after-logging-input all anywhere anywhere ufw6-reject-input all anywhere anywhere ufw6-track-input all anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw6-before-logging-forward all anywhere anywhere ufw6-before-forward all anywhere anywhere ufw6-after-forward all anywhere anywhere ufw6-after-logging-forward all anywhere anywhere ufw6-reject-forward all anywhere anywhere ufw6-track-forward all anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw6-before-logging-output all anywhere anywhere ufw6-before-output all anywhere anywhere ufw6-after-output all anywhere anywhere ufw6-after-logging-output all anywhere anywhere ufw6-reject-output all anywhere anywhere ufw6-track-output all anywhere anywhere Chain ufw6-after-forward (1 references) target prot opt source destination Chain ufw6-after-input (1 references) target prot opt source destination ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:netbios-ns ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:netbios-dgm ufw6-skip-to-policy-input tcp anywhere anywhere tcp dpt:netbios-ssn ufw6-skip-to-policy-input tcp anywhere anywhere tcp dpt:microsoft-ds ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:dhcpv6-client ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:dhcpv6-server Chain ufw6-after-logging-forward (1 references) target prot opt source destination LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw6-after-logging-input (1 references) target prot opt source destination LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw6-after-logging-output (1 references) target prot opt source destination Chain ufw6-after-output (1 references) target prot opt source destination Chain ufw6-before-forward (1 references) target prot opt source destination DROP all anywhere anywhere rt type:0 ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply ufw6-user-forward all anywhere anywhere Chain ufw6-before-input (1 references) target prot opt source destination ACCEPT all anywhere anywhere DROP all anywhere anywhere rt type:0 ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED ufw6-logging-deny all anywhere anywhere ctstate INVALID DROP all anywhere anywhere ctstate INVALID ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 141 HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 142 HL match HL == 255 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 130 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 131 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 132 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 143 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 148 HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 149 HL match HL == 255 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 151 HL match HL == 1 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 152 HL match HL == 1 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 153 HL match HL == 1 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 144 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 145 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 146 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 147 ACCEPT udp fe80::/10 fe80::/10 udp spt:dhcpv6-server dpt:dhcpv6-client ACCEPT udp anywhere ff02::fb udp dpt:mdns ACCEPT udp anywhere ff02::f udp dpt:1900 ufw6-user-input all anywhere anywhere Chain ufw6-before-logging-forward (1 references) target prot opt source destination Chain ufw6-before-logging-input (1 references) target prot opt source destination Chain ufw6-before-logging-output (1 references) target prot opt source destination Chain ufw6-before-output (1 references) target prot opt source destination ACCEPT all anywhere anywhere DROP all anywhere anywhere rt type:0 ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 141 HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 142 HL match HL == 255 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 130 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 131 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 132 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 143 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 148 HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 149 HL match HL == 255 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 151 HL match HL == 1 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 152 HL match HL == 1 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 153 HL match HL == 1 ufw6-user-output all anywhere anywhere Chain ufw6-logging-allow (0 references) target prot opt source destination LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw6-logging-deny (1 references) target prot opt source destination RETURN all anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw6-reject-forward (1 references) target prot opt source destination Chain ufw6-reject-input (1 references) target prot opt source destination Chain ufw6-reject-output (1 references) target prot opt source destination Chain ufw6-skip-to-policy-forward (0 references) target prot opt source destination DROP all anywhere anywhere Chain ufw6-skip-to-policy-input (6 references) target prot opt source destination DROP all anywhere anywhere Chain ufw6-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all anywhere anywhere Chain ufw6-track-forward (1 references) target prot opt source destination Chain ufw6-track-input (1 references) target prot opt source destination Chain ufw6-track-output (1 references) target prot opt source destination ACCEPT tcp anywhere anywhere ctstate NEW ACCEPT udp anywhere anywhere ctstate NEW Chain ufw6-user-forward (1 references) target prot opt source destination Chain ufw6-user-input (1 references) target prot opt source destination ACCEPT udp anywhere anywhere multiport dports 1714:1764 ACCEPT tcp anywhere anywhere multiport dports 1714:1764 Chain ufw6-user-limit (0 references) target prot opt source destination LOG all anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT all anywhere anywhere reject-with icmp6-port-unreachable Chain ufw6-user-limit-accept (0 references) target prot opt source destination ACCEPT all anywhere anywhere Chain ufw6-user-logging-forward (0 references) target prot opt source destination Chain ufw6-user-logging-input (0 references) target prot opt source destination Chain ufw6-user-logging-output (0 references) target prot opt source destination Chain ufw6-user-output (1 references) target prot opt source destination

I tried to disable the ufw firewall by sudo ufw disable and ping started to work. I'll report a bug with ubuntu soon, but is ping even a good way to do it?

Improve this question
5
  • yes, you are right. I was testing without the echo (and the -v) before. I got an error message now, and an success message, but still nothing on terminal a. -- erm, there was a comment about a missing pipe before. Commented Feb 9, 2017 at 22:41
  • Your ping6 command should work. Could it be that you have some ip6tables rules that break it? I just tested these slightly different arguments on my LAN and got responses from 5 different devices: ping6 -nc2 ff02::1%wlan0 Commented Feb 10, 2017 at 1:17
  • uhm, it can very well be. would also explain why it worked on the tablet. however, why would the default rules not allow it? anyway, i updated the question with the output of ip6tables -L. But i have little experience with it and don't want to break security of my laptop. Commented Feb 10, 2017 at 3:07
  • That output does not tell the full story. If you want the full story look at the output of ip6tables-save. What I can tell you about your firewall rules is that they look overly complicated. I have previously seen rules generated by ufw and they did not look very good. You are probably better off writing firewall rules by hand than using ufw. Commented Feb 10, 2017 at 23:01
  • well, and it is also not your job to debug ufw. At first i didn't even realise it is additional software. I'll report a bug to them. If you formulate the comment as an answer I'll accept it :) Commented Feb 13, 2017 at 7:35

1 Answer 1

Reset to default
1

I had a similar problem on a LEDE firewall; link-local multicast pings (e.g. to ff02::1) were not answered because the echo replies were dropped by an output rule for ctstate INVALID. Unicast pings (link-local and ULA) worked fine.

I suspect that the conntrack system is missing a trick here - since the request's (multicast) destination is different from the reply's (unicast) source, it doesn't recognize them as related - though it should.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.