* [PATCH] netfilter: Fix GRE over IPv6 with conntrack module [not found] <1524997693.135804496.1614764827412.JavaMail.root@zimbra63-e11.priv.proxad.net> @ 2021-03-03 10:21 ` linuxludo 2021-03-03 16:27 ` Florian Westphal 2021-03-03 16:33 ` Pablo Neira Ayuso 0 siblings, 2 replies; 7+ messages in thread From: linuxludo @ 2021-03-03 10:21 UTC (permalink / raw) To: pablo, kadlec, fw; +Cc: netfilter-devel, coreteam Dear, I would provide you a small patch in order to fix a BUG when GRE over IPv6 is used with netfilter/conntrack module. This is my first contribution, not knowing the procedure well, thank you for being aware of this request. Regarding the proposed patch, here is a description of the encountered bug. Indeed, when an ip6tables rule dropping traffic due to an invalid packet (aka w/ conntrack module) is placed before a GRE protocol permit rule, the latter is never reached ; the packet is discarded via the previous rule. The proposed patch takes into account both IPv4 and IPv6 in conntrack module for GRE protocol. You will find this one at the end of this email. I personally tested this, successfully. By making a contribution to this project, I certify that: a. The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or b. The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or c. The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. d. I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. Signed-off-by: ludovic senecaux <linuxludo@free.fr> Thanks for your reply, Regards, --- Here is the patch: --- nf_conntrack_proto_gre.c.orig 2021-03-03 05:03:37.034665100 -0500 +++ nf_conntrack_proto_gre.c 2021-03-02 17:42:53.000000000 -0500 @@ -219,7 +219,7 @@ int nf_conntrack_gre_packet(struct nf_co enum ip_conntrack_info ctinfo, const struct nf_hook_state *state) { - if (state->pf != NFPROTO_IPV4) + if (state->pf != NFPROTO_IPV4 && state->pf != NFPROTO_IPV6) return -NF_ACCEPT; if (!nf_ct_is_confirmed(ct)) { ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: Fix GRE over IPv6 with conntrack module 2021-03-03 10:21 ` [PATCH] netfilter: Fix GRE over IPv6 with conntrack module linuxludo @ 2021-03-03 16:27 ` Florian Westphal 2021-03-03 16:33 ` Pablo Neira Ayuso 1 sibling, 0 replies; 7+ messages in thread From: Florian Westphal @ 2021-03-03 16:27 UTC (permalink / raw) To: linuxludo; +Cc: pablo, kadlec, fw, netfilter-devel, coreteam linuxludo@free.fr <linuxludo@free.fr> wrote: > I would provide you a small patch in order to fix a BUG when GRE over IPv6 is used with netfilter/conntrack module. > > This is my first contribution, not knowing the procedure well, thank you for being aware of this request. See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst In short, the patch should pass 'scripts/checkpatch.pl' and should apply cleanly with 'git am'. > Regarding the proposed patch, here is a description of the encountered bug. > Indeed, when an ip6tables rule dropping traffic due to an invalid packet (aka w/ conntrack module) is placed before a GRE protocol permit rule, the latter is never reached ; the packet is discarded via the previous rule. > > The proposed patch takes into account both IPv4 and IPv6 in conntrack module for GRE protocol. > You will find this one at the end of this email. > > I personally tested this, successfully. If the GRE tracker works fine with ipv6 its best to just remove the if-clause entirely, we only support ipv4 and ipv6 anyway. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: Fix GRE over IPv6 with conntrack module 2021-03-03 10:21 ` [PATCH] netfilter: Fix GRE over IPv6 with conntrack module linuxludo 2021-03-03 16:27 ` Florian Westphal @ 2021-03-03 16:33 ` Pablo Neira Ayuso 2021-03-03 16:56 ` linuxludo 1 sibling, 1 reply; 7+ messages in thread From: Pablo Neira Ayuso @ 2021-03-03 16:33 UTC (permalink / raw) To: linuxludo; +Cc: kadlec, fw, netfilter-devel, coreteam Hi, On Wed, Mar 03, 2021 at 11:21:11AM +0100, linuxludo@free.fr wrote: > Dear, > > I would provide you a small patch in order to fix a BUG when GRE over IPv6 is used with netfilter/conntrack module. > > This is my first contribution, not knowing the procedure well, thank you for being aware of this request. > > Regarding the proposed patch, here is a description of the encountered bug. > Indeed, when an ip6tables rule dropping traffic due to an invalid packet (aka w/ conntrack module) is placed before a GRE protocol permit rule, the latter is never reached ; the packet is discarded via the previous rule. > > The proposed patch takes into account both IPv4 and IPv6 in conntrack module for GRE protocol. > You will find this one at the end of this email. The GRE protocol helper is tied to the PPTP conntrack helper which does not support for IPv6. How are you using this update in your infrastructure? Thanks. > --- nf_conntrack_proto_gre.c.orig 2021-03-03 05:03:37.034665100 -0500 > +++ nf_conntrack_proto_gre.c 2021-03-02 17:42:53.000000000 -0500 > @@ -219,7 +219,7 @@ int nf_conntrack_gre_packet(struct nf_co > enum ip_conntrack_info ctinfo, > const struct nf_hook_state *state) > { > - if (state->pf != NFPROTO_IPV4) > + if (state->pf != NFPROTO_IPV4 && state->pf != NFPROTO_IPV6) > return -NF_ACCEPT; > > if (!nf_ct_is_confirmed(ct)) { > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: Fix GRE over IPv6 with conntrack module 2021-03-03 16:33 ` Pablo Neira Ayuso @ 2021-03-03 16:56 ` linuxludo 2021-03-03 17:12 ` Florian Westphal 0 siblings, 1 reply; 7+ messages in thread From: linuxludo @ 2021-03-03 16:56 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: kadlec, fw, netfilter-devel, coreteam I am using this module to establish GRE tunnels. Previously, I had this in my ip6tables rules: ip6tables -N FW6-IN ip6tables -A FW6-IN -m conntrack --ctstate established, related -j LOG --log-prefix '[FW6-IN-1-A]' ip6tables -A FW6-IN -m conntrack --ctstate established, related -j RETURN ip6tables -A FW6-IN -m conntrack --ctstate invalid -j LOG --log-prefix '[FW6-IN-2-D]' ip6tables -A FW6-IN -m conntrack --ctstate invalid -j DROP ip6tables -A FW6-IN -p gre -j LOG --log-prefix '[FW6-IN-3-A]' ip6tables -A FW6-IN -p gre -j RETURN ip6tables -A FW6-IN -p icmp -j LOG --log-prefix '[FW6-IN-4-A]' ip6tables -A FW6-IN -p icmp -j RETURN ip6tables -A FW6-IN -j LOG --log-prefix '[FW6-IN-DEFAULT-D]' ip6tables -A FW6-IN -j DROP ip6tables -A INPUT -j FW6-IN Then a GRE interface: ip link add name tun0 type ip6gre remote 2001:db8:1000::1 local 2001:db8:1000::2 ip address add 10.0.0.2/30 dev tun0 ip link set up dev tun0 When I enabled the GRE tunnel interface, I got a reject of GRE packets: Mar 1 09:09:56 router1 kernel: [ 303.025798] [FW6-IN-2-D] IN=eth0 OUT= MAC=0c:d8:6a:66:03:00:0c:d8:6a:b7:90:00:86:dd SRC=2001:0db8:1000:0000:0000:0000:0000:0002 DST=2001:0db8:1000:0000:0000:0000:0000:0001 LEN=136 TC=0 HOPLIMIT=64 FLOWLBL=825134 PROTO=47 This unconditionally matched the invalid packets rule. With the proposed patch, the rule '[FW6-IN-3-A]' is well matched when activating the GRE tunnel interface. Likewise, the rule '[FW6-IN-1-A]' is matched for the flow passing through the GRE tunnel. Regards, ----- Mail original ----- De: "Pablo Neira Ayuso" <pablo@netfilter.org> À: linuxludo@free.fr Cc: kadlec@netfilter.org, fw@strlen.de, netfilter-devel@vger.kernel.org, coreteam@netfilter.org Envoyé: Mercredi 3 Mars 2021 17:33:22 Objet: Re: [PATCH] netfilter: Fix GRE over IPv6 with conntrack module Hi, On Wed, Mar 03, 2021 at 11:21:11AM +0100, linuxludo@free.fr wrote: > Dear, > > I would provide you a small patch in order to fix a BUG when GRE over IPv6 is used with netfilter/conntrack module. > > This is my first contribution, not knowing the procedure well, thank you for being aware of this request. > > Regarding the proposed patch, here is a description of the encountered bug. > Indeed, when an ip6tables rule dropping traffic due to an invalid packet (aka w/ conntrack module) is placed before a GRE protocol permit rule, the latter is never reached ; the packet is discarded via the previous rule. > > The proposed patch takes into account both IPv4 and IPv6 in conntrack module for GRE protocol. > You will find this one at the end of this email. The GRE protocol helper is tied to the PPTP conntrack helper which does not support for IPv6. How are you using this update in your infrastructure? Thanks. > --- nf_conntrack_proto_gre.c.orig 2021-03-03 05:03:37.034665100 -0500 > +++ nf_conntrack_proto_gre.c 2021-03-02 17:42:53.000000000 -0500 > @@ -219,7 +219,7 @@ int nf_conntrack_gre_packet(struct nf_co > enum ip_conntrack_info ctinfo, > const struct nf_hook_state *state) > { > - if (state->pf != NFPROTO_IPV4) > + if (state->pf != NFPROTO_IPV4 && state->pf != NFPROTO_IPV6) > return -NF_ACCEPT; > > if (!nf_ct_is_confirmed(ct)) { > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: Fix GRE over IPv6 with conntrack module 2021-03-03 16:56 ` linuxludo @ 2021-03-03 17:12 ` Florian Westphal 2021-03-03 18:00 ` Ludovic Sénécaux 0 siblings, 1 reply; 7+ messages in thread From: Florian Westphal @ 2021-03-03 17:12 UTC (permalink / raw) To: linuxludo; +Cc: Pablo Neira Ayuso, kadlec, fw, netfilter-devel, coreteam linuxludo@free.fr <linuxludo@free.fr> wrote: > When I enabled the GRE tunnel interface, I got a reject of GRE packets: > > Mar 1 09:09:56 router1 kernel: [ 303.025798] [FW6-IN-2-D] IN=eth0 OUT= MAC=0c:d8:6a:66:03:00:0c:d8:6a:b7:90:00:86:dd SRC=2001:0db8:1000:0000:0000:0000:0000:0002 DST=2001:0db8:1000:0000:0000:0000:0000:0001 LEN=136 TC=0 HOPLIMIT=64 FLOWLBL=825134 PROTO=47 > > This unconditionally matched the invalid packets rule. Yes, the return value is wrong, it should be NF_ACCEPT, not -NF_ACCEPT. In older kernels, the gre tracker only registers for ipv4 and ipv6 gre falls back to generic ipv6 tracker. I think given there is nothing l3 protocol specific in the GRE tracker removal of the conditional is preferable. ^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: [PATCH] netfilter: Fix GRE over IPv6 with conntrack module 2021-03-03 17:12 ` Florian Westphal @ 2021-03-03 18:00 ` Ludovic Sénécaux 2021-03-04 1:11 ` Florian Westphal 0 siblings, 1 reply; 7+ messages in thread From: Ludovic Sénécaux @ 2021-03-03 18:00 UTC (permalink / raw) To: 'Florian Westphal' Cc: 'Pablo Neira Ayuso', kadlec, netfilter-devel, coreteam Thanks for your feedback. So, in this case, can you consider this request ? Or do I have to make a new one ? Regards, -----Message d'origine----- De : Florian Westphal <fw@strlen.de> Envoyé : mercredi 3 mars 2021 18:12 À : linuxludo@free.fr Cc : Pablo Neira Ayuso <pablo@netfilter.org>; kadlec@netfilter.org; fw@strlen.de; netfilter-devel@vger.kernel.org; coreteam@netfilter.org Objet : Re: [PATCH] netfilter: Fix GRE over IPv6 with conntrack module linuxludo@free.fr <linuxludo@free.fr> wrote: > When I enabled the GRE tunnel interface, I got a reject of GRE packets: > > Mar 1 09:09:56 router1 kernel: [ 303.025798] [FW6-IN-2-D] IN=eth0 > OUT= MAC=0c:d8:6a:66:03:00:0c:d8:6a:b7:90:00:86:dd > SRC=2001:0db8:1000:0000:0000:0000:0000:0002 > DST=2001:0db8:1000:0000:0000:0000:0000:0001 LEN=136 TC=0 HOPLIMIT=64 > FLOWLBL=825134 PROTO=47 > > This unconditionally matched the invalid packets rule. Yes, the return value is wrong, it should be NF_ACCEPT, not -NF_ACCEPT. In older kernels, the gre tracker only registers for ipv4 and ipv6 gre falls back to generic ipv6 tracker. I think given there is nothing l3 protocol specific in the GRE tracker removal of the conditional is preferable. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] netfilter: Fix GRE over IPv6 with conntrack module 2021-03-03 18:00 ` Ludovic Sénécaux @ 2021-03-04 1:11 ` Florian Westphal 0 siblings, 0 replies; 7+ messages in thread From: Florian Westphal @ 2021-03-04 1:11 UTC (permalink / raw) To: Ludovic Sénécaux Cc: 'Florian Westphal', 'Pablo Neira Ayuso', kadlec, netfilter-devel, coreteam Ludovic Sénécaux <linuxludo@free.fr> wrote: > Thanks for your feedback. > > So, in this case, can you consider this request ? > Or do I have to make a new one ? We won't apply this patch as-is. Please send a v2 following the guidelines & with the feedback addressed. Alternatively, I will fix this bug myself sometime next week. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-03-04 1:16 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1524997693.135804496.1614764827412.JavaMail.root@zimbra63-e11.priv.proxad.net>
2021-03-03 10:21 ` [PATCH] netfilter: Fix GRE over IPv6 with conntrack module linuxludo
2021-03-03 16:27 ` Florian Westphal
2021-03-03 16:33 ` Pablo Neira Ayuso
2021-03-03 16:56 ` linuxludo
2021-03-03 17:12 ` Florian Westphal
2021-03-03 18:00 ` Ludovic Sénécaux
2021-03-04 1:11 ` Florian Westphal
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.