IPv6 stable_secret, ping, traceroute questions

Hello,

I just installed OpenWRT 19.07.7 on a Linksys WRT1900ACv1. The build was standard (not snapshot) and the install went easily enough. My ISP provides an IPv4 and IPv6 address on eth1.2.

Basic WAN functionality seems good, including wired and wireless on LAN.

But when I check the connection tracking table size with:

sysctl -a|grep conntrack_count

this unexpected output results:

sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.br-lan.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.default.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.eth0.1.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.eth1.2.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.wlan0.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.wlan1.stable_secret': I/O error
net.netfilter.nf_conntrack_count = 1733

The last line is what I'm monitoring but all the previous output with the net.ipv6 errors are distracting.

IPv4 ping and traceroute and nslookup works fine, but the IPv6 ping and IPv6 traceroute fails with these:

PING openwrt.org (2a03:b0c0:3:d0::1af1:1): 56 data bytes
ping6: sendto: Permission denied

and

traceroute6: can't connect to remote host: Permission denied

ifconfig eth1.2 shows I've got a good IPv4 and IPv6 address from the ISP.

How can IPv6 be configured to eliminate the stable_secret errors and also enable ipv6 ping and traceroute?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip6tables-save -c; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru

Sure you bet. Here are the pasted commands. They're separated, mainly for my own clarity. This should be sufficiently anonimized.


First line:

root@OpenWrt:~# ubus call system board
{
	"kernel": "4.14.221",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 2 (v7l)",
	"model": "Linksys WRT1900AC",
	"board_name": "linksys,mamba",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.7",
		"revision": "r11306-c4a6851c72",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 19.07.7 r11306-c4a6851c72"
	}
}
root@OpenWrt:~# 

Second line, command 1:

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'ssss:tttt:uuuu::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

root@OpenWrt:~# 

Second line, command 2:

root@OpenWrt:~# uci export dhcp;
package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# 

Second line, command 3:

root@OpenWrt:~# uci export firewall;
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '123'
	option src 'wan'
	option name 'NTP'
	option src_dport '123'
	option target 'DNAT'
	option dest_ip '192.168.1.rrr'
	option dest 'lan'
	list proto 'udp'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'ssh'
	option src_dport '22'
	option target 'DNAT'
	option dest_ip '192.168.1.rrr'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port 'vvvv-wwwww'
	option src 'wan'
	option name 'MoVE telemetry'
	option src_dport 'vvvv-wwwww'
	option target 'DNAT'
	option dest_ip '192.168.1.rrr'
	option dest 'lan'
	list proto 'udp'
	option enabled '0'

root@OpenWrt:~# 

Third line:

root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~# 

Fourth line:

root@OpenWrt:~# ip6tables-save -c
# Generated by ip6tables-save v1.8.3 on Fri Jun  4 10:36:54 2021
*mangle
:PREROUTING ACCEPT [206889:24440018]
:INPUT ACCEPT [158992:11897173]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32761:4810362]
:POSTROUTING ACCEPT [32761:4810362]
[0:0] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Jun  4 10:36:54 2021
# Generated by ip6tables-save v1.8.3 on Fri Jun  4 10:36:54 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[126:26068] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[158866:11871105] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[78:7290] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[37587:3137343] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[121201:8726472] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[126:26068] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[32635:4784294] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[21936:3857109] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[10699:927185] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[121201:8726472] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[10699:927185] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[37587:3137343] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[37587:3137343] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[10699:927185] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[10699:927185] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[37587:3137343] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[121201:8726472] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[121201:8726472] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[121201:8726472] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Jun  4 10:36:54 2021
root@OpenWrt:~# 

Fifth line, command 1:

root@OpenWrt:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 mmmm::nnnn:oooo:pppp:b5b/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 mmmm::nnnn:oooo:pppp:b5b/64 scope link 
       valid_lft forever preferred_lft forever
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 eeee:ffff:gggg:hh:iiii:jjjj:kkkk:llll/128 scope global dynamic 
       valid_lft 355321sec preferred_lft 355321sec
    inet6 mmmm::nnnn:oooo:pppp:b5b/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 mmmm::nnnn:oooo:pppp:b5c/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 mmmm::nnnn:oooo:pppp:b5d/64 scope link 
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 aaaa:bbbb:cccc:dddd::1/64 scope global dynamic 
       valid_lft 355321sec preferred_lft 355321sec
    inet6 ssss:tttt:uuuu::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 mmmm::nnnn:oooo:pppp:b5b/64 scope link 
       valid_lft forever preferred_lft forever
root@OpenWrt:~# 

Fifth line, command 2:

root@OpenWrt:~# ip -6 ro li tab all
aaaa:bbbb:cccc:dddd::/64 dev br-lan  metric 1024 
unreachable aaaa:bbbb:cccc:dddd::/64 dev lo  metric 2147483647  error -113
ssss:tttt:uuuu::/64 dev br-lan  metric 1024 
unreachable ssss:tttt:uuuu::/48 dev lo  metric 2147483647  error -113
fe80::/64 dev eth1.2  metric 256 
fe80::/64 dev eth1  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
local ::1 dev lo table local  metric 0 
anycast aaaa:bbbb:cccc:dddd:: dev br-lan table local  metric 0 
local aaaa:bbbb:cccc:dddd::1 dev br-lan table local  metric 0 
local eeee:ffff:gggg:hh:iiii:jjjj:kkkk:llll dev eth1.2 table local  metric 0 
anycast ssss:tttt:uuuu:: dev br-lan table local  metric 0 
local ssss:tttt:uuuu::1 dev br-lan table local  metric 0 
anycast fe80:: dev eth1 table local  metric 0 
anycast fe80:: dev eth1.2 table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
anycast fe80:: dev wlan1 table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
local mmmm::nnnn:oooo:pppp:b5b dev eth1 table local  metric 0 
local mmmm::nnnn:oooo:pppp:b5b dev eth1.2 table local  metric 0 
local mmmm::nnnn:oooo:pppp:b5b dev eth0 table local  metric 0 
local mmmm::nnnn:oooo:pppp:b5b dev br-lan table local  metric 0 
local mmmm::nnnn:oooo:pppp:b5c dev wlan0 table local  metric 0 
local mmmm::nnnn:oooo:pppp:b5d dev wlan1 table local  metric 0 
ff00::/8 dev eth1.2 table local  metric 256 
ff00::/8 dev eth1 table local  metric 256 
ff00::/8 dev wlan0 table local  metric 256 
ff00::/8 dev wlan1 table local  metric 256 
ff00::/8 dev eth0 table local  metric 256 
ff00::/8 dev br-lan table local  metric 256 
root@OpenWrt:~# 

Fifth line, command 3:

root@OpenWrt:~# ip -6 ru
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from aaaa:bbbb:cccc:dddd::1/64 iif br-lan lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12
4200000009:	from all iif eth1.2 lookup unspec 12
4200000009:	from all iif eth1.2 lookup unspec 12
4200000012:	from all iif br-lan lookup unspec 12
root@OpenWrt:~#

that should do it.

clear as mud :joy: :joy: :joy:

You have disabled the rules in firewall for IPv6, so it obviously won't work.
Re enable them and wait until the negotiation is finished and there is a default gateway.

1 Like

Ok, yes, that's a good point. That's my mistake. The ping and traceroute are not what drove me to post. Those work now without reboot. Just the LuCI Save and Apply button worked great.

The stable_secret is really what has me stumped. There's not a clear, well-defined method for generating the stable secret key for IPv6. The ip-link man page has the best description but examples, especially for OpenWRT, are very sparse and buried in forum threads about other topics.

How is stable_secret assigned (a) properly and (b) persistently so the error goes away?

That's not an error really it's more like there is no stable secret so you can't read it... You have to decide whether you WANT stable privacy addresses before just blindly adding stable secrets... But you can add them in /etc/sysctl.conf

For example maybe you just want normal privacy addresses in which case adding a stable secret will break that

well, it seems that RFC7217 was created to improve IPv6 security, so in the absence of any reason to not choose improved security I'm trying to setup stable_secret in OpenWRT.

The original goal is really to just stop the sysctl error messages.

After creating a stable_secret string with either:

  1. this method with /dev/urandom, or
  2. this method with uuidgen (by installing it through LuCI interface)

the string was placed in /etc/sysctl.conf with:

net.ipv6.conf.default.stable_secret=aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:hhhh

then sysctl -p caused reload, but nothing changed until reboot.

bizarrely, that took care of several (quite active) interfaces, but not these:

root@OpenWrt:~# sysctl -a|grep conntrack_count
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
net.netfilter.nf_conntrack_count = 360
root@OpenWrt:~#

Attempting to set these entries with sysctl -w directly also causes an error.

How can these remaining error messages be eliminated?

Stable secrets improve security over standard MAC based addressing, but are reduced security vs privacy addressing (in which the address changes every so often like hourly).

The errors are not errors they're notifications that you've tried to read something that doesn't exist.

Unless you understand the diff btw stable privacy and privacy addresses you shouldn't just blindly set these

To avoid printing the errors I think you can do

sysctl -a -e
1 Like

Well, if sysctl interrogates the kernel and reports an I/O Error, I'll call it an error. It may be benign, but if the value is not set, then sysctl shouldn't interrogate that parameter. That's the real error.

I tried the -e switch and it did not change anything.

-a means interrogate the kernel for every possible variable... So anything not set produces an error. You'll have to read the man pages on sysctl I'm on my phone and don't have them but there is a switch to not print the errors I think.

How about querying just the value you are interested in?

root@OpenWrt:~# sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 50

or

root@OpenWrt:~# cat /proc/sys/net/netfilter/nf_conntrack_count 
50

or with the conntrack package installed:

root@OpenWrt:~# conntrack -C
50
1 Like

I hadn't seen this behavioral in other distributions until trying.

Summary:

  • sysctl -a works without error on my installations of Ubuntu 20, Raspbian Stretch (Debian 9), and Ubiquiti's OS on a USG-3P (Debian 7).
  • sysctl -a gives some types of errors on my installs of Raspbian Buster (Debian 10) and OpenWRT 19.

the error's cause and solution is unclear but seems fairly benign.

hello @mpa ,

this is the best solution yet. what you're saying is, type it all out and don't be lazy :joy: :joy: :joy:

I've never seen the conntrack package but it works great. conntrack -L has some incredible output. wow.

thanks for the thoughtful inputs

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.