[BUG] Netfilter in Linux 2.6.1

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nico Schottelius <nico-linux-net@schottelius.org>
To: linux-net@vger.kernel.org
Cc: gregor@tecmafia.de, netfilter-devel@lists.netfilter.org
Subject: [BUG] Netfilter in Linux 2.6.1
Date: Fri, 23 Jan 2004 17:03:19 +0100	[thread overview]
Message-ID: <20040123160319.GA2733@schottelius.org> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 3041 bytes --]

Hello!

While experiement with ipsec I found the following problems:

Encapsulated ipsec data (esp) passes through iptables and becomes
decrypted. So far so fine.

Now what happens with thoso unencrypted packages? It looks like
they travel through iptables again!

Have a look at this example:

I use 

http://schotteli.us/~nico/firewall-masq

as my firewall script on the host named "bruehe".

With a notebook (named scice) I start an ipsec connection
with isakmpd via wlan to bruehe:

isampd.scice -> wlan0.scice -> wlan0.bruehe -> isakmpd.bruehe.

So far no problems.

The SAs are set fine: [ipsec-bug.setkey]

When I try to ping bruehe it is successful:

scice% ping -c2 192.168.42.1
PING 192.168.42.1 (192.168.42.1): 56 data bytes
64 bytes from 192.168.42.1: icmp_seq=0 ttl=64 time=8.4 ms
64 bytes from 192.168.42.1: icmp_seq=1 ttl=64 time=4.8 ms

--- 192.168.42.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.8/6.6/8.4 ms


logged from host named baby, which is sniffing in the wlan:

03:11:04.577573 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x3) (DF)
03:11:04.579071 bruehe.wlan.intern.schottelius.org >
scice.wlan.intern.schottelius.org: ESP(spi=0xaa714402,seq=0x3)
03:11:06.193495 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x4) (DF)
03:11:06.199202 bruehe.wlan.intern.schottelius.org >
scice.wlan.intern.schottelius.org: ESP(spi=0xaa714402,seq=0x4)


Now I try to ssh to 192.168.42.2 == bruehe.

I don't get any reply, only a timeout (because of the -j DROP rule).

Log from baby:

03:14:42.538601 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x8) (DF)
03:14:47.390054 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x9) (DF)
03:14:57.094131 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0xa) (DF)

As you see, no response, although the rules should match them:

# 
# IKE from wlan
# 
iptables  -I INPUT -i $DEV_WLAN  -p udp --sport 500 --dport 500 -j
ACCEPT
ip6tables -I INPUT -i $DEV_WLAN  -p udp --sport 500 --dport 500 -j
ACCEPT

#
# ESP encryption and authentication from wlan
#
iptables  -I INPUT -i $DEV_WLAN -p esp -j ACCEPT
ip6tables -I INPUT -i $DEV_WLAN -p esp -j ACCEPT

#
# AH 
# 
iptables  -I INPUT -i $DEV_WLAN -p ah -j ACCEPT
ip6tables -I INPUT -i $DEV_WLAN -p ah -j ACCEPT


As ssh gets blocked, I assume after decryting the packages they
are matching against the rules again.

Is that right?

This looks for me like bug in netfilter...

Greetings,

Nico

ps: I am on the linux-net ML, not on the netfilter ML, so
    please CC-me when replying.

-- 
Keep it simple & stupid, use what's available.
pgp: 8D0E E27A          | Nico Schottelius
http://nerd-hosting.net | http://linux.schottelius.org

[-- Attachment #1.2: ipsec-bug.setkey --]
[-- Type: text/plain, Size: 2586 bytes --]

bruehe:/usr/src/linux# setkey -D
192.168.42.2 192.168.42.1 
        esp mode=tunnel spi=3568472532(0xd4b291d4) reqid=0(0x00000000)
        E: rijndael-cbc  95a4ad71 799ae14e 9c145bb1 3628a4d8
        A: hmac-sha1  4bbea868 1b4e334f 3f7317e2 40b221b6 f4a5c58e
        seq=0x00000000 replay=0 flags=0x00000000 state=mature 
        created: Jan 23 16:43:23 2004   current: Jan 23 16:47:18 2004
        diff: 235(s)    hard: 1200(s)   soft: 1080(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=9319 refcnt=0
192.168.42.1 192.168.42.2 
        esp mode=tunnel spi=2859549698(0xaa714402) reqid=0(0x00000000)
        E: rijndael-cbc  3c94ab69 28414ac0 9069dc1f 282d376d
        A: hmac-sha1  72710b06 754daf00 8f2aca9f d8e63ac5 7f468a99
        seq=0x00000000 replay=0 flags=0x00000000 state=mature 
        created: Jan 23 16:43:23 2004   current: Jan 23 16:47:18 2004
        diff: 235(s)    hard: 1200(s)   soft: 1080(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=9319 refcnt=0



scice# setkey -D
192.168.42.2 192.168.42.1 
        esp mode=tunnel spi=3568472532(0xd4b291d4) reqid=0(0x00000000)
        E: rijndael-cbc  95a4ad71 799ae14e 9c145bb1 3628a4d8
        A: hmac-sha1  4bbea868 1b4e334f 3f7317e2 40b221b6 f4a5c58e
        seq=0x00000000 replay=16 flags=0x00000000 state=mature 
        created: Jan 23 16:43:18 2004   current: Jan 23 16:47:54 2004
        diff: 276(s)    hard: 1200(s)   soft: 1080(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=2783 refcnt=0
192.168.42.1 192.168.42.2 
        esp mode=tunnel spi=2859549698(0xaa714402) reqid=0(0x00000000)
        E: rijndael-cbc  3c94ab69 28414ac0 9069dc1f 282d376d
        A: hmac-sha1  72710b06 754daf00 8f2aca9f d8e63ac5 7f468a99
        seq=0x00000000 replay=16 flags=0x00000000 state=mature 
        created: Jan 23 16:43:18 2004   current: Jan 23 16:47:54 2004
        diff: 276(s)    hard: 1200(s)   soft: 1080(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=2783 refcnt=0


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

next             reply	other threads:[~2004-01-23 16:03 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-01-23 16:03 Nico Schottelius [this message]
2004-01-23 19:42 ` [BUG] Netfilter in Linux 2.6.1 David S. Miller
2004-01-27 11:00   ` Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040123160319.GA2733@schottelius.org \
    --to=nico-linux-net@schottelius.org \
    --cc=gregor@tecmafia.de \
    --cc=linux-net@vger.kernel.org \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.