From: Eric Leblond <eric@inl.fr>
To: Marek Szuba <Marek.Szuba@if.pw.edu.pl>
Cc: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>,
kaber@trash.net, netfilter-devel@vger.kernel.org,
vstinner@inl.fr, Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 0/2] IPv6 conntrack support for neighbour discovery
Date: Thu, 22 Jan 2009 00:41:27 +0100 [thread overview]
Message-ID: <1232581287.16003.47.camel@ice-age> (raw)
In-Reply-To: <20081105133508.67b25090@hiperon.ws.hirg>
[-- Attachment #1: Type: text/plain, Size: 2364 bytes --]
Hi,
Le mercredi 05 novembre 2008 à 13:35 +0100, Marek Szuba a écrit :
> On Wed, 05 Nov 2008 13:44:05 +0900 (JST)
> Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp> wrote:
>
> > In short: nf_conntrack_proto_icmpv6.c does not help for protocols
> > using their messages. conntrack helper is better.
> So what you are suggesting is, someone needs to write such a helper
> module. Correct?
I'm reopening this thread because Victor Stinner (in CC) has opened a
similar bug in bugzilla:
http://bugzilla.netfilter.org/show_bug.cgi?id=567
Pablo has then pointed out this discussion.
I don't think that we have to handle these part of ICMPv6 protocol with
a connection tracking helper. For example, here's the trace of the
exchange which are needed to obtain a "public" IPv6 address on my setup:
15:14:42.377744 IP6 fe80::a00:27ff:feb3:e26c > ff02::2: ICMP6, router solicitation, length 16
15:14:42.405725 IP6 fe80::207:cbff:fe90:f8d1 > ff02::1: ICMP6, router advertisement, length 104
15:14:43.401395 IP6 :: > ff02::1:ffb3:e26c: ICMP6, neighbor solicitation, who has 2a01:e35:1394:5bd0:a00:27ff:feb3:e26c, length 24
15:14:46.628300 IP6 fe80::a00:27ff:feb3:e26c > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
If we only analyse the first two, we see we can't easily invert the
tuple of the connection: we don't know which address will answer and the
destination address of the packet are changing. But as pointed by
Yasuyuki the main point is not here, we need to accept the router
advertisement to be able to detect changes in the routing. In fact,
theses protocols are stateless and should be considered as such.
IMHO, the main issue here is to tag the packets as INVALID. They are
valid even we can't track them. I thus propose a patchset which adds the
capability to avoid connection tracking the packets of these protocols.
A sysctl flag can be set to activate this feature.
With this patchset, the concerned packet don't get blocked by the
INVALID rule and are not seen by the conntrack. They can be cleanly
filtered in the ruleset.
Patchset statistics:
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 35 +++++++++++++++++++++++-
1 files changed, 34 insertions(+), 1 deletions(-)
BR,
--
Eric Leblond <eric@inl.fr>
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/
[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2009-01-21 23:41 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-30 13:52 IPv6 conntrack support for neighbour discovery Marek Szuba
2008-11-04 14:06 ` Patrick McHardy
2008-11-05 4:44 ` Yasuyuki KOZAKAI
[not found] ` <200811050444.mA54i7F8028119@toshiba.co.jp>
2008-11-05 9:50 ` Patrick McHardy
2008-11-05 12:40 ` Marek Szuba
2008-11-05 12:48 ` Patrick McHardy
2008-11-05 13:01 ` Yasuyuki KOZAKAI
[not found] ` <200811050444.mA54i7XU020102@toshiba.co.jp>
2008-11-05 12:35 ` Marek Szuba
2009-01-21 23:41 ` Eric Leblond [this message]
2009-01-21 23:43 ` [PATCH 1/2] netfilter: use sysctl to choose icmpv6 autoconf behaviour Eric Leblond
2009-01-21 23:43 ` [PATCH 2/2] netfilter: don't track ICMPv6 negotiation message Eric Leblond
2009-01-21 23:49 ` Eric Leblond
2009-01-21 23:51 ` [Resend PATCH " Eric Leblond
2009-01-23 10:21 ` [PATCH 0/2] IPv6 conntrack support for neighbour discovery Yasuyuki KOZAKAI
2009-01-23 7:40 ` Yasuyuki KOZAKAI
2009-01-23 9:02 ` Eric Leblond
2009-01-23 9:42 ` Jozsef Kadlecsik
2009-01-23 9:50 ` Jozsef Kadlecsik
2009-01-23 10:42 ` Yasuyuki KOZAKAI
[not found] ` <200901231021.n0NALINO007201@toshiba.co.jp>
2009-01-23 10:51 ` Eric Leblond
2009-01-23 11:10 ` Yasuyuki KOZAKAI
2009-01-24 10:32 ` [PATCH] netfilter: don't track ICMPv6 negotiation message Eric Leblond
2009-01-27 10:07 ` Yasuyuki KOZAKAI
[not found] ` <200901231110.n0NBAR7Z000645@toshiba.co.jp>
2009-01-26 13:11 ` [PATCH 0/2] IPv6 conntrack support for neighbour discovery Patrick McHardy
2009-01-27 10:09 ` Yasuyuki KOZAKAI
[not found] ` <200901271009.n0RA9d4I025010@toshiba.co.jp>
2009-01-27 10:14 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1232581287.16003.47.camel@ice-age \
--to=eric@inl.fr \
--cc=Marek.Szuba@if.pw.edu.pl \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=vstinner@inl.fr \
--cc=yasuyuki.kozakai@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).