* IPv6 connection tracking mDNS
@ 2013-05-23 10:58 Christian Hesse
2013-05-25 13:43 ` Pascal Hambourg
0 siblings, 1 reply; 2+ messages in thread
From: Christian Hesse @ 2013-05-23 10:58 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1655 bytes --]
Hello everybody,
I have problems with my IPv6 firewall concerning connection tracking and
mDNS. This is part of the rules:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s fe80::/64 -d ff02::fb -p udp -j LOG --log-prefix "DEBUG1: "
-A INPUT -s fe80::/64 -d ff02::fb -p udp --dport 5353 -j ACCEPT
[...]
-A INPUT -j LOG --log-prefix "DEBUG2: "
-A INPUT -j REJECT
DEBUG1: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=661 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=621
DEBUG1: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=1496 TC=0 HOPLIMIT=255
FLOWLBL=0 FRAG:0 INCOMPLETE ID:042d5795 PROTO=UDP SPT=5353 DPT=5353 LEN=7378
DEBUG1: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=1496 TC=0 HOPLIMIT=255
FLOWLBL=0 FRAG:1448 INCOMPLETE ID:042d5795 PROTO=UDP
DEBUG2: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=1496 TC=0 HOPLIMIT=255
FLOWLBL=0 FRAG:1448 INCOMPLETE ID:042d5795 PROTO=UDP
[...]
All following packets are logged twice.
So why is the connection not tracked? I would expect the fragment to belong
to an established connection and accepted.
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];)
putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: IPv6 connection tracking mDNS
2013-05-23 10:58 IPv6 connection tracking mDNS Christian Hesse
@ 2013-05-25 13:43 ` Pascal Hambourg
0 siblings, 0 replies; 2+ messages in thread
From: Pascal Hambourg @ 2013-05-25 13:43 UTC (permalink / raw)
To: Christian Hesse; +Cc: netfilter
Hello,
Christian Hesse a écrit :
>
> I have problems with my IPv6 firewall concerning connection tracking and
> mDNS. This is part of the rules:
>
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -m conntrack --ctstate INVALID -j DROP
> -A INPUT -s fe80::/64 -d ff02::fb -p udp -j LOG --log-prefix "DEBUG1: "
> -A INPUT -s fe80::/64 -d ff02::fb -p udp --dport 5353 -j ACCEPT
> [...]
> -A INPUT -j LOG --log-prefix "DEBUG2: "
> -A INPUT -j REJECT
>
> So why is the connection not tracked? I would expect the fragment to belong
> to an established connection and accepted.
mDNS uses multicast, and AFAIK netfilter connection tracking does not
(yet ?) handle multicast because the source/destination addresses in the
reply packet do not match those in the request packet, so it does not
qualify as a "connection" by the conntrack standards.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-05-25 13:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-05-23 10:58 IPv6 connection tracking mDNS Christian Hesse
2013-05-25 13:43 ` Pascal Hambourg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox