Re: NFULNL_CFG_F_CONNTRACK and IPv6

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Rafael David Tinoco <rafaeldtinoco@ubuntu.com>
Cc: netfilter@vger.kernel.org,
	Ken-ichirou MATSUZAWA <chamaken@gmail.com>,
	Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: NFULNL_CFG_F_CONNTRACK and IPv6
Date: Tue, 12 Jan 2021 17:57:13 +0100	[thread overview]
Message-ID: <20210112165713.GE19605@breakpoint.cc> (raw)
In-Reply-To: <57c4adaf-69c0-4135-a89c-095ed4785d22@www.fastmail.com>

Rafael David Tinoco <rafaeldtinoco@ubuntu.com> wrote:
> Hello list, Ken-ichirou and Pablo,
> 
> I'm developing github.com/rafaeldtinoco/conntracker and, during my tests, I 
> realized that the feature:
> 
> NFULNL_CFG_F_CONNTRACK
> 
> does not seem to be giving me conntrack feature for IPv6 (as it does with 
> IPv4).I have checked xtables-monitor code and IPv6 tracing seems to be
> working when using libnftnl.. but I want to maintain compatibility to old
> distros when nf-tables is not available/used.
> 
> bug: https://github.com/rafaeldtinoco/conntracker/issues/1
> 
> TL;DR version is:
> 
> I have a conntrack NEW,ESTABLISHED rule for everything in raw (so all the flows 
> are accounted). To each identified flow, listened through libnetfilter-
> conntrack, I add a rule to trace its events.
> 
> I map conntrack <-> trace relation through NFULNL_CFG_F_CONNTRACK feature, this 
> way I know exactly through which rules that flow passed.
> 
> Example:
> 
>  UDPv4 [  2] src = 10.250.91.1 (port=1024) to dst = 10.250.91.255 (port=57621)
> 	table: raw, chain: PREROUTING, type: rule, position: 1
>         table: nat, chain: OUTPUT, type: policy, position: 1
>         table: nat, chain: POSTROUTING, type: policy, position: 2
>         table: filter, chain: INPUT, type: policy, position: 1
>         table: filter, chain: OUTPUT, type: policy, position: 1
> 
> Unfortunately with:
> 
> nflog_nlmsg_parse(nlh, attrs), my attrs[NFULA_CT] is always NULL for IPv6:
> 
>  TCPv6 [  0] src = fe80::1453:5dff:fe1a:ca68 (port=1024) to dst = fe80::216:3eff:fe7f:aedd (port=22) (confirmed)
> ICMPv6 [  0] src = fe80::1453:5dff:fe1a:ca68 to dst = fe80::216:3eff:fe7f:aedd (type=0 | code=0) (confirmed)
> ICMPv6 [  1] src = fe80::1453:5dff:fe1a:ca68 to dst = fe80::3c76:fdff:fea2:82b4 (type=0 | code=0)
> 
> This can also be observed with:
> 
> libnetfilter-log/utils/nf-log.c code (if BUILD_NFCT)

Works for me:
00389d4fd5f00000000a9e2060000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637</payload></log>
(ret=450)
ip_conntrack_info: REPLY / ESTABLISHED
icmpv6   58 30 src=::1 dst=::1 type=128 code=0 id=6 src=::1 dst=::1 type=129 code=0 id=6

Do you have an ip6tables rule that matches on conntrack state?
Otherwise conntrack will be disabled.

next prev parent reply	other threads:[~2021-01-12 16:57 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-12 16:14 NFULNL_CFG_F_CONNTRACK and IPv6 Rafael David Tinoco
2021-01-12 16:57 ` Florian Westphal [this message]
2021-01-12 17:30   ` Rafael David Tinoco
2021-01-12 17:41     ` Florian Westphal
2021-01-12 18:01       ` Rafael David Tinoco
2021-01-12 18:17         ` Rafael David Tinoco
2021-01-12 18:36         ` Florian Westphal
2021-01-12 18:54           ` Rafael David Tinoco
2021-01-12 19:26             ` Florian Westphal
2021-01-12 21:33               ` Rafael David Tinoco
2021-01-13 13:25                 ` Rafael David Tinoco
2021-01-13 17:50                   ` Pablo Neira Ayuso
2021-01-13 21:07                     ` Rafael David Tinoco

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210112165713.GE19605@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=chamaken@gmail.com \
    --cc=netfilter@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=rafaeldtinoco@ubuntu.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.