From: Christian Hesse <list@eworm.de>
To: netfilter@vger.kernel.org
Subject: IPv6 connection tracking mDNS
Date: Thu, 23 May 2013 12:58:52 +0200 [thread overview]
Message-ID: <20130523125852.591af01c@leda> (raw)
[-- Attachment #1: Type: text/plain, Size: 1655 bytes --]
Hello everybody,
I have problems with my IPv6 firewall concerning connection tracking and
mDNS. This is part of the rules:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s fe80::/64 -d ff02::fb -p udp -j LOG --log-prefix "DEBUG1: "
-A INPUT -s fe80::/64 -d ff02::fb -p udp --dport 5353 -j ACCEPT
[...]
-A INPUT -j LOG --log-prefix "DEBUG2: "
-A INPUT -j REJECT
DEBUG1: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=661 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=621
DEBUG1: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=1496 TC=0 HOPLIMIT=255
FLOWLBL=0 FRAG:0 INCOMPLETE ID:042d5795 PROTO=UDP SPT=5353 DPT=5353 LEN=7378
DEBUG1: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=1496 TC=0 HOPLIMIT=255
FLOWLBL=0 FRAG:1448 INCOMPLETE ID:042d5795 PROTO=UDP
DEBUG2: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=1496 TC=0 HOPLIMIT=255
FLOWLBL=0 FRAG:1448 INCOMPLETE ID:042d5795 PROTO=UDP
[...]
All following packets are logged twice.
So why is the connection not tracked? I would expect the fragment to belong
to an established connection and accepted.
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];)
putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
next reply other threads:[~2013-05-23 10:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-23 10:58 Christian Hesse [this message]
2013-05-25 13:43 ` IPv6 connection tracking mDNS Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130523125852.591af01c@leda \
--to=list@eworm.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox