From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter discussion list <netfilter@vger.kernel.org>
Subject: Re: ip6tables icmp conntracking on 2.6.18 vs 2.6.24
Date: Fri, 04 Apr 2008 01:00:39 +0200 [thread overview]
Message-ID: <47F56197.1000504@plouf.fr.eu.org> (raw)
In-Reply-To: <20080403152330.GA15573@piper.oerlikon.madduck.net>
martin f krafft a écrit :
> also sprach Pascal Hambourg <pascal.mail@plouf.fr.eu.org> [2008.04.03.1707 +0200]:
>
>>I'm not sure what you both mean. I tested the IPv6 conntrack on vanilla
>>2.6.20 and 2.6.24 kernels built from kernel.org sources and everything
>>worked as expected :
>
>
> I agree, it works if you don't have INVALID at all, but try:
>
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -m state --state INVALID -j DROP
> -A INPUT -m state --state NEW -j in-new
>
> and this will match echo-requests on my 2.6.24. echo-replies get
> matched by the first rule, but echo-requests should be NEW, not
> INVALID.
>
>
>>I do not see a reason why 2.6.22 would behave differently. Maybe
>>there is something special in Debian kernels ?
>
>
> This bug I see with 2.6.18
Of course, Debian's 2.6.18 does not support IPv6 conntrack.
> and someone else with 2.6.22.
Nicolas ? He just wrote he couldn't reproduce it.
> It's
> a different issue than what this thread is about: that pre-2.6.24
> kernels don't seem to register OUTGOING packets in the connection
> table.
This is higly unlikely IMHO. People would have noticed it.
> Or are you saying that if you ping6 from the machine with the
> iptables rules to somewhere else, the echo-reply gets matched by
> RELATED or ESTABLISHED?
Yes, of course. The outgoing echo request is in the NEW state and the
incoming echo reply is in the ESTABLISHED state. Same with an incoming
echo request.
> Because it certainly does *not* here.
>
> $ ping6 ipv6.aerasec.de(2001:a60:9002:1::184:1) yields:
>
> [INPUT6]: IN=eth2 OUT= MAC=00:16:3e:46:5a:86:00:0e:d6:b8:dc:1b:86:dd
> SRC=2001:0a60:9002:0001:0000:0000:0184:0001
> DST=2001:1620:2004:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=57
> FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=34094 SEQ=1
>
> which is logged after falling through the end of the chain and *not*
> being matched by ESTABLISHED,RELATED. Note that the source address
> is the same as the destination address to which I sent the
> echo-request.
There must be something wrong with your kernel.
Here is what I get :
[NEW] IN= OUT=eth2 SRC=2001:07a8:6d23:####
DST=2001:0a60:9002:0001:0000:0000:0184:0001 LEN=104 TC=0 HOPLIMIT=64
FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=55565 SEQ=1
[ESTAB] IN=eth2 OUT= MAC=####
SRC=2001:0a60:9002:0001:0000:0000:0184:0001 DST=2001:07a8:6d23:####
LEN=104 TC=0 HOPLIMIT=53 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=55565
SEQ=1
with the following test ruleset :
ip6tables -t mangle -N logstate
ip6tables -t mangle -A logstate -m state --state NEW -j LOG \
--log-prefix "[NEW] "
ip6tables -t mangle -A logstate -m state --state ESTABLISHED -j LOG \
--log-prefix "[ESTAB] "
ip6tables -t mangle -A logstate -m state --state RELATED -j LOG \
--log-prefix "[RELAT] "
ip6tables -t mangle -A logstate -m state --state INVALID -j LOG \
--log-prefix "[INVAL] "
ip6tables -t mangle -A logstate -m state --state UNTRACKED -j LOG \
--log-prefix "[UNTRA] "
ip6tables -t mangle -A PREROUTING -j logstate
ip6tables -t mangle -A OUTPUT -j logstate
next prev parent reply other threads:[~2008-04-03 23:00 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-02 21:26 ip6tables icmp conntracking on 2.6.18 vs 2.6.24 martin f krafft
2008-04-02 21:44 ` Petr Pisar
2008-04-02 21:57 ` Jan Engelhardt
2008-04-02 22:05 ` martin f krafft
2008-04-03 8:18 ` martin f krafft
2008-04-03 9:29 ` Pascal Hambourg
2008-04-03 9:36 ` Nicolas KOWALSKI
2008-04-03 10:26 ` martin f krafft
2008-04-03 15:07 ` Pascal Hambourg
2008-04-03 15:23 ` martin f krafft
2008-04-03 23:00 ` Pascal Hambourg [this message]
2008-04-03 23:03 ` Pascal Hambourg
2008-04-04 8:50 ` martin f krafft
2008-04-04 16:19 ` Pascal Hambourg
2008-04-08 13:15 ` martin f krafft
2008-04-03 15:35 ` Nicolas KOWALSKI
2008-04-03 15:38 ` martin f krafft
2008-04-03 15:48 ` Nicolas KOWALSKI
2008-04-04 8:51 ` martin f krafft
2008-04-04 8:57 ` Nicolas KOWALSKI
2008-04-04 11:04 ` martin f krafft
2008-04-04 11:59 ` Nicolas KOWALSKI
2008-04-04 12:39 ` martin f krafft
2008-04-04 17:57 ` Nicolas KOWALSKI
2008-04-03 16:14 ` Jozsef Kadlecsik
2008-04-04 6:22 ` martin f krafft
2008-04-04 9:39 ` Jozsef Kadlecsik
2008-04-04 7:32 ` RFC 4890 (icmpv6 firewall recommendations) and ip6tables (was: ip6tables icmp conntracking on 2.6.18 vs 2.6.24) martin f krafft
2008-04-04 9:12 ` Jozsef Kadlecsik
2008-04-04 11:15 ` martin f krafft
2009-03-11 12:44 ` martin f krafft
2009-03-21 13:43 ` RFC 4890 (icmpv6 firewall recommendations) and ip6tables Chris Hills
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47F56197.1000504@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox