Pb using DROP in a PREROUTING hook with ip6tables

Pb using DROP in a PREROUTING hook with ip6tables

[Hadrien HAMEL]

Hi,

I'm trying to develop a match module for filtering MLDv2 Reports packets
(multicast group management protocol in an IPv6 context). My module is
ready and works fine (at least, from what I see of the kernel messages I
print during the tests in the match function), and so I try to use it to
drop MLDv2 Reports.
Since MLDv2 is addressed to multicast group and not to a host address,
it is handled by the kernel before the routing stuff, so that I can't
use INPUT or FORWARD hooks. I must use the PREROUTING hook :

#ip6tables -t raw -A PREROUTING -p ipv6-icmp -m mldv2 -j DROP

Kernel messages show that the mldv2 packets are recognized (and so the
match function returns 1) but the packet aren't dropped. I've tried the
"mangle" table and the "raw" table, but both were ineffective. To be
sure that my module wasn't misbehaving, I tried to drop all the packets
in PREROUTING, with no effects. In comparison, the same command with
iptables (thus in IPv4) has blocked all the incoming packets (which is a
normal behaviour!).

Does anybody know if there is such a bug in ip6tables? Or is this a
misuse of it?

Thanks a lot!
Hadrien

Re: Pb using DROP in a PREROUTING hook with ip6tables

[Patrick McHardy]

Hadrien HAMEL wrote:
> Kernel messages show that the mldv2 packets are recognized (and so the
> match function returns 1) but the packet aren't dropped. I've tried the
> "mangle" table and the "raw" table, but both were ineffective. To be
> sure that my module wasn't misbehaving, I tried to drop all the packets
> in PREROUTING, with no effects. In comparison, the same command with
> iptables (thus in IPv4) has blocked all the incoming packets (which is a
> normal behaviour!).
> 
> Does anybody know if there is such a bug in ip6tables? Or is this a
> misuse of it?

Works fine here:
# ip6tables -t raw -A PREROUTING -j DROP

ping6 ::1 gets no responses

# ip6tables -t raw -F

ping6 ::1 works again

Regards
Patrick

Re: Pb using DROP in a PREROUTING hook with ip6tables

[Hadrien HAMEL]

Patrick McHardy wrote:

> Hadrien HAMEL wrote:
>
>> Kernel messages show that the mldv2 packets are recognized (and so the
>> match function returns 1) but the packet aren't dropped. I've tried the
>> "mangle" table and the "raw" table, but both were ineffective. To be
>> sure that my module wasn't misbehaving, I tried to drop all the packets
>> in PREROUTING, with no effects. In comparison, the same command with
>> iptables (thus in IPv4) has blocked all the incoming packets (which is a
>> normal behaviour!).
>>
>> Does anybody know if there is such a bug in ip6tables? Or is this a
>> misuse of it?
>
>
> Works fine here:
> # ip6tables -t raw -A PREROUTING -j DROP
>
> ping6 ::1 gets no responses
>
> # ip6tables -t raw -F
>
> ping6 ::1 works again
>
> Regards
> Patrick
>

Hi,

Indeed, ping6 and other unicast functions seem to be blocked. I tested
it again with
#ip6tables -t raw -P PREROUTING DROP
on my multicast router. My multicast client cannot ping6 the router
anymore, but MLDv2 reports are not blocked.
I'm trying to find what could causes this problem (multicast packets are
somewhat special).

If anyone had an hint, it would be helpful!

Regards
Hadrien