* [BUG] Netfilter in Linux 2.6.1
@ 2004-01-23 16:03 Nico Schottelius
2004-01-23 19:42 ` David S. Miller
0 siblings, 1 reply; 3+ messages in thread
From: Nico Schottelius @ 2004-01-23 16:03 UTC (permalink / raw)
To: linux-net; +Cc: gregor, netfilter-devel
[-- Attachment #1.1: Type: text/plain, Size: 3041 bytes --]
Hello!
While experiement with ipsec I found the following problems:
Encapsulated ipsec data (esp) passes through iptables and becomes
decrypted. So far so fine.
Now what happens with thoso unencrypted packages? It looks like
they travel through iptables again!
Have a look at this example:
I use
http://schotteli.us/~nico/firewall-masq
as my firewall script on the host named "bruehe".
With a notebook (named scice) I start an ipsec connection
with isakmpd via wlan to bruehe:
isampd.scice -> wlan0.scice -> wlan0.bruehe -> isakmpd.bruehe.
So far no problems.
The SAs are set fine: [ipsec-bug.setkey]
When I try to ping bruehe it is successful:
scice% ping -c2 192.168.42.1
PING 192.168.42.1 (192.168.42.1): 56 data bytes
64 bytes from 192.168.42.1: icmp_seq=0 ttl=64 time=8.4 ms
64 bytes from 192.168.42.1: icmp_seq=1 ttl=64 time=4.8 ms
--- 192.168.42.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.8/6.6/8.4 ms
logged from host named baby, which is sniffing in the wlan:
03:11:04.577573 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x3) (DF)
03:11:04.579071 bruehe.wlan.intern.schottelius.org >
scice.wlan.intern.schottelius.org: ESP(spi=0xaa714402,seq=0x3)
03:11:06.193495 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x4) (DF)
03:11:06.199202 bruehe.wlan.intern.schottelius.org >
scice.wlan.intern.schottelius.org: ESP(spi=0xaa714402,seq=0x4)
Now I try to ssh to 192.168.42.2 == bruehe.
I don't get any reply, only a timeout (because of the -j DROP rule).
Log from baby:
03:14:42.538601 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x8) (DF)
03:14:47.390054 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x9) (DF)
03:14:57.094131 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0xa) (DF)
As you see, no response, although the rules should match them:
#
# IKE from wlan
#
iptables -I INPUT -i $DEV_WLAN -p udp --sport 500 --dport 500 -j
ACCEPT
ip6tables -I INPUT -i $DEV_WLAN -p udp --sport 500 --dport 500 -j
ACCEPT
#
# ESP encryption and authentication from wlan
#
iptables -I INPUT -i $DEV_WLAN -p esp -j ACCEPT
ip6tables -I INPUT -i $DEV_WLAN -p esp -j ACCEPT
#
# AH
#
iptables -I INPUT -i $DEV_WLAN -p ah -j ACCEPT
ip6tables -I INPUT -i $DEV_WLAN -p ah -j ACCEPT
As ssh gets blocked, I assume after decryting the packages they
are matching against the rules again.
Is that right?
This looks for me like bug in netfilter...
Greetings,
Nico
ps: I am on the linux-net ML, not on the netfilter ML, so
please CC-me when replying.
--
Keep it simple & stupid, use what's available.
pgp: 8D0E E27A | Nico Schottelius
http://nerd-hosting.net | http://linux.schottelius.org
[-- Attachment #1.2: ipsec-bug.setkey --]
[-- Type: text/plain, Size: 2586 bytes --]
bruehe:/usr/src/linux# setkey -D
192.168.42.2 192.168.42.1
esp mode=tunnel spi=3568472532(0xd4b291d4) reqid=0(0x00000000)
E: rijndael-cbc 95a4ad71 799ae14e 9c145bb1 3628a4d8
A: hmac-sha1 4bbea868 1b4e334f 3f7317e2 40b221b6 f4a5c58e
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 23 16:43:23 2004 current: Jan 23 16:47:18 2004
diff: 235(s) hard: 1200(s) soft: 1080(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=9319 refcnt=0
192.168.42.1 192.168.42.2
esp mode=tunnel spi=2859549698(0xaa714402) reqid=0(0x00000000)
E: rijndael-cbc 3c94ab69 28414ac0 9069dc1f 282d376d
A: hmac-sha1 72710b06 754daf00 8f2aca9f d8e63ac5 7f468a99
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 23 16:43:23 2004 current: Jan 23 16:47:18 2004
diff: 235(s) hard: 1200(s) soft: 1080(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=9319 refcnt=0
scice# setkey -D
192.168.42.2 192.168.42.1
esp mode=tunnel spi=3568472532(0xd4b291d4) reqid=0(0x00000000)
E: rijndael-cbc 95a4ad71 799ae14e 9c145bb1 3628a4d8
A: hmac-sha1 4bbea868 1b4e334f 3f7317e2 40b221b6 f4a5c58e
seq=0x00000000 replay=16 flags=0x00000000 state=mature
created: Jan 23 16:43:18 2004 current: Jan 23 16:47:54 2004
diff: 276(s) hard: 1200(s) soft: 1080(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=2783 refcnt=0
192.168.42.1 192.168.42.2
esp mode=tunnel spi=2859549698(0xaa714402) reqid=0(0x00000000)
E: rijndael-cbc 3c94ab69 28414ac0 9069dc1f 282d376d
A: hmac-sha1 72710b06 754daf00 8f2aca9f d8e63ac5 7f468a99
seq=0x00000000 replay=16 flags=0x00000000 state=mature
created: Jan 23 16:43:18 2004 current: Jan 23 16:47:54 2004
diff: 276(s) hard: 1200(s) soft: 1080(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=2783 refcnt=0
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [BUG] Netfilter in Linux 2.6.1
2004-01-23 16:03 [BUG] Netfilter in Linux 2.6.1 Nico Schottelius
@ 2004-01-23 19:42 ` David S. Miller
2004-01-27 11:00 ` Harald Welte
0 siblings, 1 reply; 3+ messages in thread
From: David S. Miller @ 2004-01-23 19:42 UTC (permalink / raw)
To: Nico Schottelius; +Cc: linux-net, gregor, netfilter-devel
On Fri, 23 Jan 2004 17:03:19 +0100
Nico Schottelius <nico-linux-net@schottelius.org> wrote:
> Is that right?
>
> This looks for me like bug in netfilter...
Netfilter first sees the pre-encrypted SSH TCP packets before they are encapsulated
in ESP, and thus your rules say to drop those.
That's just how things work currently.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [BUG] Netfilter in Linux 2.6.1
2004-01-23 19:42 ` David S. Miller
@ 2004-01-27 11:00 ` Harald Welte
0 siblings, 0 replies; 3+ messages in thread
From: Harald Welte @ 2004-01-27 11:00 UTC (permalink / raw)
To: David S. Miller; +Cc: Nico Schottelius, linux-net, gregor, netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 988 bytes --]
On Fri, Jan 23, 2004 at 11:42:05AM -0800, David S. Miller wrote:
> On Fri, 23 Jan 2004 17:03:19 +0100
> Nico Schottelius <nico-linux-net@schottelius.org> wrote:
>
> > Is that right?
> >
> > This looks for me like bug in netfilter...
>
> Netfilter first sees the pre-encrypted SSH TCP packets before they are
> encapsulated in ESP, and thus your rules say to drop those.
>
> That's just how things work currently.
JFYI: We're currently discussing how to proceed with this issue on
netfilter-devel (Thread started at
http://lists.netfilter.org/pipermail/netfilter-devel/2004-January/013879.html)
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-01-27 11:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-23 16:03 [BUG] Netfilter in Linux 2.6.1 Nico Schottelius
2004-01-23 19:42 ` David S. Miller
2004-01-27 11:00 ` Harald Welte
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.