From: "Brian J. Murrell" <brian@interlinx.bc.ca>
To: netfilter@vger.kernel.org
Subject: netfilter periodically thinks local traffic is FORWARDed
Date: Tue, 19 Jul 2011 06:51:17 -0400 [thread overview]
Message-ID: <j03nj6$sql$1@dough.gmane.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2697 bytes --]
I have a router running 2.6.32.27. It has an ip6 interface on it:
# ifconfig sixxs
sixxs Link encap:IPv6-in-IPv4
inet6 addr: 2001:1234:f:107::2/64 Scope:Global
inet6 addr: fe80::a08:1/64 Scope:Link
inet6 addr: fe80::a4b:16fe/64 Scope:Link
inet6 addr: fe80::ae8a:d6fb/64 Scope:Link
inet6 addr: fe80::a4b:16c4/64 Scope:Link
inet6 addr: fe80::43c1:d6f2/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1
RX packets:11962628 errors:0 dropped:0 overruns:0 frame:0
TX packets:7222926 errors:1393 dropped:0 overruns:0 carrier:1393
collisions:0 txqueuelen:0
RX bytes:1568350253 (1.4 GiB) TX bytes:523325199 (499.0 MiB)
I have ip6tables rules installed (courtesy of Shorewall). It seems
occasionally however that netfilter thinks that traffic that is
(supposed to be) local is being forwarded:
Jul 19 06:44:41 10.75.22.196 kernel: Shorewall:FORWARD:REJECT:IN=sixxs
OUT=sixxs SRC=2001:1234:000f:0107:0000:0000:0000:0001
DST=2001:1234:000f:0107:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=63
FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=19746 SEQ=16622
That reject message is being caused by the second to last rule of my
FORWARD chain, after which the packet is "reject"ed:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
536K 243M accounting all * * ::/0
::/0
127K 13M dynamic all * * ::/0
::/0 ctstate INVALID,NEW
274K 219M net2loc all sixxs br-lan ::/0
::/0
256K 24M loc_frwd all br-lan * ::/0
::/0
0 0 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
6559 682K Reject all * * ::/0
::/0
6559 682K LOG all * * ::/0
::/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
6559 682K reject all * * ::/0
::/0 [goto]
The question is of course, given that the DST address in that reject log
message is a local address of the ip6tables machine, why is the packet
being processed by the FORWARD chain?
I have put a "watch" on the interface to see if it's temporarily losing
that address while those packets are being logged and rejected and I
didn't see any evidence of such.
Any other ideas?
Cheers,
b.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
next reply other threads:[~2011-07-19 10:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-19 10:51 Brian J. Murrell [this message]
2011-07-19 11:07 ` netfilter periodically thinks local traffic is FORWARDed Jan Engelhardt
2011-07-19 20:10 ` Brian J. Murrell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='j03nj6$sql$1@dough.gmane.org' \
--to=brian@interlinx.bc.ca \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.