* NFCT filter and IPv6
@ 2012-07-17 21:11 Eric Leblond
2012-07-25 11:16 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Eric Leblond @ 2012-07-17 21:11 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1.1: Type: text/plain, Size: 838 bytes --]
Hello,
I was working on ulogd2 and getting mad with connection filtering in
IPv6 (IPv4 being ok). After analysis, it seems there is a problem.
I've modified the conntrack_filter in utils by applying the following
patch. It does nothing but inverting the logic of filtering and adding
filtering to destination.
If I do :
$ telnet 2::1
then
root@tiger:/home/eric/git/netfilter/libnetfilter_conntrack/utils# ./conntrack_filter
TEST: waiting for 10 events...
[UPDATE] tcp 6 432000 ESTABLISHED src=2::1 dst=2::1 sport=35738 dport=22 src=2::1 dst=2::1 sport=22 dport=35738 [ASSURED]
Am I missing something ?
Kernel is a 3.4.0:
Linux tiger 3.4.0-netfilter #22 SMP Sat Jul 14 21:39:33 CEST 2012 x86_64 GNU/Linux
BR,
--
Eric Leblond
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
[-- Attachment #1.2: 0001-Modify-IPv6-logic.patch --]
[-- Type: text/x-patch, Size: 928 bytes --]
From 5ec3879993c502f808d78c750f585555a0cd3014 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Tue, 17 Jul 2012 23:04:46 +0200
Subject: [PATCH] Modify IPv6 logic
---
utils/conntrack_filter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/utils/conntrack_filter.c b/utils/conntrack_filter.c
index a3eeebc..cfde5d4 100644
--- a/utils/conntrack_filter.c
+++ b/utils/conntrack_filter.c
@@ -74,9 +74,10 @@ int main(void)
/* ignore whatever that comes from ::1 (loopback) */
nfct_filter_set_logic(filter,
NFCT_FILTER_SRC_IPV6,
- NFCT_FILTER_LOGIC_NEGATIVE);
+ NFCT_FILTER_LOGIC_POSITIVE);
nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV6, &filter_ipv6);
+ nfct_filter_add_attr(filter, NFCT_FILTER_DST_IPV6, &filter_ipv6);
if (nfct_filter_attach(nfct_fd(h), filter) == -1) {
perror("nfct_filter_attach");
--
1.7.10.4
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: NFCT filter and IPv6
2012-07-17 21:11 NFCT filter and IPv6 Eric Leblond
@ 2012-07-25 11:16 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2012-07-25 11:16 UTC (permalink / raw)
To: Eric Leblond; +Cc: netfilter-devel
Hi Eric,
On Tue, Jul 17, 2012 at 11:11:09PM +0200, Eric Leblond wrote:
> Hello,
>
> I was working on ulogd2 and getting mad with connection filtering in
> IPv6 (IPv4 being ok). After analysis, it seems there is a problem.
>
> I've modified the conntrack_filter in utils by applying the following
> patch. It does nothing but inverting the logic of filtering and adding
> filtering to destination.
>
> If I do :
>
> $ telnet 2::1
>
> then
>
> root@tiger:/home/eric/git/netfilter/libnetfilter_conntrack/utils# ./conntrack_filter
> TEST: waiting for 10 events...
> [UPDATE] tcp 6 432000 ESTABLISHED src=2::1 dst=2::1 sport=35738 dport=22 src=2::1 dst=2::1 sport=22 dport=35738 [ASSURED]
>
> Am I missing something ?
It's a bug in libnetfilter_conntrack autogenerated BPF code to filter IPv6.
This should fix it:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=4b6df760e3b19ec522b66cbbb5b280fec7c0405b
The changelog provides some details. I've tested it here, works for
me.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-07-25 11:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-17 21:11 NFCT filter and IPv6 Eric Leblond
2012-07-25 11:16 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).