* netfilter periodically thinks local traffic is FORWARDed
@ 2011-07-19 10:51 Brian J. Murrell
2011-07-19 11:07 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Brian J. Murrell @ 2011-07-19 10:51 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 2697 bytes --]
I have a router running 2.6.32.27. It has an ip6 interface on it:
# ifconfig sixxs
sixxs Link encap:IPv6-in-IPv4
inet6 addr: 2001:1234:f:107::2/64 Scope:Global
inet6 addr: fe80::a08:1/64 Scope:Link
inet6 addr: fe80::a4b:16fe/64 Scope:Link
inet6 addr: fe80::ae8a:d6fb/64 Scope:Link
inet6 addr: fe80::a4b:16c4/64 Scope:Link
inet6 addr: fe80::43c1:d6f2/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1
RX packets:11962628 errors:0 dropped:0 overruns:0 frame:0
TX packets:7222926 errors:1393 dropped:0 overruns:0 carrier:1393
collisions:0 txqueuelen:0
RX bytes:1568350253 (1.4 GiB) TX bytes:523325199 (499.0 MiB)
I have ip6tables rules installed (courtesy of Shorewall). It seems
occasionally however that netfilter thinks that traffic that is
(supposed to be) local is being forwarded:
Jul 19 06:44:41 10.75.22.196 kernel: Shorewall:FORWARD:REJECT:IN=sixxs
OUT=sixxs SRC=2001:1234:000f:0107:0000:0000:0000:0001
DST=2001:1234:000f:0107:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=63
FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=19746 SEQ=16622
That reject message is being caused by the second to last rule of my
FORWARD chain, after which the packet is "reject"ed:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
536K 243M accounting all * * ::/0
::/0
127K 13M dynamic all * * ::/0
::/0 ctstate INVALID,NEW
274K 219M net2loc all sixxs br-lan ::/0
::/0
256K 24M loc_frwd all br-lan * ::/0
::/0
0 0 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
6559 682K Reject all * * ::/0
::/0
6559 682K LOG all * * ::/0
::/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
6559 682K reject all * * ::/0
::/0 [goto]
The question is of course, given that the DST address in that reject log
message is a local address of the ip6tables machine, why is the packet
being processed by the FORWARD chain?
I have put a "watch" on the interface to see if it's temporarily losing
that address while those packets are being logged and rejected and I
didn't see any evidence of such.
Any other ideas?
Cheers,
b.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: netfilter periodically thinks local traffic is FORWARDed
2011-07-19 10:51 netfilter periodically thinks local traffic is FORWARDed Brian J. Murrell
@ 2011-07-19 11:07 ` Jan Engelhardt
2011-07-19 20:10 ` Brian J. Murrell
0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2011-07-19 11:07 UTC (permalink / raw)
To: Brian J. Murrell; +Cc: netfilter
On Tuesday 2011-07-19 12:51, Brian J. Murrell wrote:
>I have a router running 2.6.32.27. It has an ip6 interface on it:
>
># ifconfig sixxs
>sixxs Link encap:IPv6-in-IPv4
> inet6 addr: 2001:1234:f:107::2/64 Scope:Global
> inet6 addr: fe80::a08:1/64 Scope:Link
> inet6 addr: fe80::a4b:16fe/64 Scope:Link
> inet6 addr: fe80::ae8a:d6fb/64 Scope:Link
> inet6 addr: fe80::a4b:16c4/64 Scope:Link
> inet6 addr: fe80::43c1:d6f2/64 Scope:Link
Uh better use `ip addr`.
>I have ip6tables rules installed (courtesy of Shorewall). It seems
>occasionally however that netfilter thinks that traffic that is
>(supposed to be) local is being forwarded:
>
>Jul 19 06:44:41 10.75.22.196 kernel: Shorewall:FORWARD:REJECT:IN=sixxs
>OUT=sixxs SRC=2001:1234:000f:0107:0000:0000:0000:0001
>DST=2001:1234:000f:0107:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=63
>FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=19746 SEQ=16622
Routing determines whether it is forwarded or not - cf.
`ip route show table all`, not Netfilter or Xtables.
>I have put a "watch" on the interface to see if it's temporarily losing
>that address while those packets are being logged and rejected and I
>didn't see any evidence of such.
How do you watch it?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: netfilter periodically thinks local traffic is FORWARDed
2011-07-19 11:07 ` Jan Engelhardt
@ 2011-07-19 20:10 ` Brian J. Murrell
0 siblings, 0 replies; 3+ messages in thread
From: Brian J. Murrell @ 2011-07-19 20:10 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 595 bytes --]
On 11-07-19 07:07 AM, Jan Engelhardt wrote:
>
> Uh better use `ip addr`.
Sure, next time since your hints helped me resolve this issue.
> Routing determines whether it is forwarded or not - cf.
> `ip route show table all`, not Netfilter or Xtables.
Makes sense. That drove me to looking closer at the routing tables and
it seemed that the scripts that bring up the ipv6 interface didn't plumb
a local route so I restarted the interface and it seems to be there now.
Thanx for the friendly poke in the right direction. It was all I needed
to figure out the problem.
b.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-07-19 20:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-19 10:51 netfilter periodically thinks local traffic is FORWARDed Brian J. Murrell
2011-07-19 11:07 ` Jan Engelhardt
2011-07-19 20:10 ` Brian J. Murrell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox