* Matching MLD with ip6tables
@ 2015-05-01 2:56 Linus Lüssing
2015-05-01 6:33 ` Jan Engelhardt
0 siblings, 1 reply; 6+ messages in thread
From: Linus Lüssing @ 2015-05-01 2:56 UTC (permalink / raw)
To: netfilter-devel
Hi,
According to RFC4890 ("Recommendations for Filtering ICMPv6
Messages in Firewalls"), page 35, a rule like this should match
MLD packets:
$ ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type {130,131,132,143} ...
However, this does not seem to work for me. My guess is that it
does not match because --protocol is not 'icmpv6' but actually
the hop-by-hop-option first. Is this a bug in the RFC (and if so,
should I report it on some IETF mailing list?)?
Also, is there a way to somehow match IPv6 protocols with IPv6
options in between?
Cheers, Linus
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Matching MLD with ip6tables
2015-05-01 2:56 Matching MLD with ip6tables Linus Lüssing
@ 2015-05-01 6:33 ` Jan Engelhardt
2015-05-02 8:58 ` Linus Lüssing
2015-06-16 5:45 ` Linus Lüssing
0 siblings, 2 replies; 6+ messages in thread
From: Jan Engelhardt @ 2015-05-01 6:33 UTC (permalink / raw)
To: Linus Lüssing; +Cc: netfilter-devel
On Friday 2015-05-01 04:56, Linus Lüssing wrote:
>
>According to RFC4890 ("Recommendations for Filtering ICMPv6
>Messages in Firewalls"), page 35, a rule like this should match
>MLD packets:
>
>$ ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type {130,131,132,143} ...
>
>However, this does not seem to work for me. My guess is that it
>does not match because --protocol is not 'icmpv6' but actually
>the hop-by-hop-option first.
>Also, is there a way to somehow match IPv6 protocols with IPv6
>options in between?
-p matches the first non-extension header. For the
exthdrs, there is e.g. -m hbh.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Matching MLD with ip6tables
2015-05-01 6:33 ` Jan Engelhardt
@ 2015-05-02 8:58 ` Linus Lüssing
2015-06-16 5:45 ` Linus Lüssing
1 sibling, 0 replies; 6+ messages in thread
From: Linus Lüssing @ 2015-05-02 8:58 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel, Matthias Schiffer
On Fri, May 01, 2015 at 08:33:03AM +0200, Jan Engelhardt wrote:
>
> On Friday 2015-05-01 04:56, Linus Lüssing wrote:
> >
> >According to RFC4890 ("Recommendations for Filtering ICMPv6
> >Messages in Firewalls"), page 35, a rule like this should match
> >MLD packets:
> >
> >$ ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type {130,131,132,143} ...
> >
> >However, this does not seem to work for me. My guess is that it
> >does not match because --protocol is not 'icmpv6' but actually
> >the hop-by-hop-option first.
> >Also, is there a way to somehow match IPv6 protocols with IPv6
> >options in between?
>
> -p matches the first non-extension header. For the
> exthdrs, there is e.g. -m hbh.
You're right, I had made a wrong assumption about ip6tables... It
wasn't ip6tables incapabilities but a bug in OpenWRT which set a
default ICMPv6 code of 255 instead of 0 when not specifying it
next to the ICMPv6 type in its config. Thanks for your help!
Awesome that ip6tables is that smart :).
Cheers, Linus
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Matching MLD with ip6tables
2015-05-01 6:33 ` Jan Engelhardt
2015-05-02 8:58 ` Linus Lüssing
@ 2015-06-16 5:45 ` Linus Lüssing
2015-06-16 7:17 ` Jan Engelhardt
1 sibling, 1 reply; 6+ messages in thread
From: Linus Lüssing @ 2015-06-16 5:45 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
On Fri, May 01, 2015 at 08:33:03AM +0200, Jan Engelhardt wrote:
> -p matches the first non-extension header. For the
> exthdrs, there is e.g. -m hbh.
Just to check, I guess ebtables is behaving similarly?
For instance
"ebtables -I <CHAIN> -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type 130"
will match MLD queries?
And "-p IPv6 --ip6-proto 0" will *not* match packets with a
hop-by-hop header?
To match extension headers on a bridge
ip6tables/physdev/bridge-nf-call-ip6tables is the only way, right?
Cheers, Linus
PS: Thanks for the quick reply back then, helped me a lot!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Matching MLD with ip6tables
2015-06-16 5:45 ` Linus Lüssing
@ 2015-06-16 7:17 ` Jan Engelhardt
2015-06-16 14:52 ` Linus Lüssing
0 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2015-06-16 7:17 UTC (permalink / raw)
To: Linus Lüssing; +Cc: netfilter-devel
On Tuesday 2015-06-16 07:45, Linus Lüssing wrote:
>On Fri, May 01, 2015 at 08:33:03AM +0200, Jan Engelhardt wrote:
>> -p matches the first non-extension header. For the
>> exthdrs, there is e.g. -m hbh.
>
>Just to check, I guess ebtables is behaving similarly?
Since Ethernet does not define any "Extension Headers",
-p matches the one and only Protocol field there is,
and it will be IPv6 if you say -p ipv6.
>And "-p IPv6 --ip6-proto 0" will *not* match packets with a
>hop-by-hop header?
That's a hard one, because the userspace tools were once written with
the assumption that 0 means "ANY". And then IANA used that value. D'oh.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Matching MLD with ip6tables
2015-06-16 7:17 ` Jan Engelhardt
@ 2015-06-16 14:52 ` Linus Lüssing
0 siblings, 0 replies; 6+ messages in thread
From: Linus Lüssing @ 2015-06-16 14:52 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
On Tue, Jun 16, 2015 at 09:17:26AM +0200, Jan Engelhardt wrote:
> On Tuesday 2015-06-16 07:45, Linus Lüssing wrote:
>
> >On Fri, May 01, 2015 at 08:33:03AM +0200, Jan Engelhardt wrote:
> >> -p matches the first non-extension header. For the
> >> exthdrs, there is e.g. -m hbh.
> >
> >Just to check, I guess ebtables is behaving similarly?
>
> Since Ethernet does not define any "Extension Headers",
> -p matches the one and only Protocol field there is,
> and it will be IPv6 if you say -p ipv6.
Was more wondering whether ebtables's "--ip6-proto"
behaves similar to ip6tables "--protocol" ;). But okay :).
>
>
> >And "-p IPv6 --ip6-proto 0" will *not* match packets with a
> >hop-by-hop header?
>
> That's a hard one, because the userspace tools were once written with
> the assumption that 0 means "ANY". And then IANA used that value. D'oh.
Urgh :D. Anyways, I think I could verify in the kernel code that
ebtables and ip6tables behave similar, ebtables too seems to skip
any extension header by calling ipv6_skip_exthdr():
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/bridge/netfilter/ebt_ip6.c#n63
Cheers, Linus
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-06-16 14:53 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-01 2:56 Matching MLD with ip6tables Linus Lüssing
2015-05-01 6:33 ` Jan Engelhardt
2015-05-02 8:58 ` Linus Lüssing
2015-06-16 5:45 ` Linus Lüssing
2015-06-16 7:17 ` Jan Engelhardt
2015-06-16 14:52 ` Linus Lüssing
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).