Bug#612714: netfilter: fails to match state of IPv6 connections
Package: linux-2.6
Version: 2.6.32-30 Severity: normal Tags: upstream ipv6 I tested this only by filtering bridged traffic. How to repeat: 1. Set the IPv6 FORWARD default policy to DROP. 2. Add this rule: ip6tables -A FORWARD -j ACCEPT 3. This way, the packets (neighbor discovery, ICMP ping ...) are not dropped. 4. We delete the previous rule and add this one: ip6tables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 5. The IPv6 packets, which should be forwarded are now dropped. For the record: if I test this with Lenny, the packets are forwarded if I match INVALID packets and accept them. In Squeeze even this doesn't seem to work. -- Package-specific info: ** Version: Linux version 2.6.32-5-amd64 (Debian 2.6.32-30) (ben@decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Wed Jan 12 03:40:32 UTC 2011 ** Command line: BOOT_IMAGE=/boot/vmlinuz-2.6.32-5-amd64 root=UUID=588f1832-95bb-4ea9-983e-f7fd257ddf70 ro quiet Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) -- debconf information: linux-image-2.6.32-5-amd64/postinst/ignoring-do-bootloader-2.6.32-5-amd64: linux-image-2.6.32-5-amd64/postinst/depmod-error-initrd-2.6.32-5-amd64: false linux-image-2.6.32-5-amd64/prerm/removing-running-kernel-2.6.32-5-amd64: true linux-image-2.6.32-5-amd64/postinst/missing-firmware-2.6.32-5-amd64: -- To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4D538E15.8090901@skoberne.net">http://lists.debian.org/4D538E15.8090901@skoberne.net |
Bug#612714: netfilter: fails to match state of IPv6 connections
Den 10. feb. 2011 08:04, skrev Nejc Å*koberne:
I tested this only by filtering bridged traffic. 5. The IPv6 packets, which should be forwarded are now dropped. ICMP ping packets matches RELATED-state, other ICMP-types might not match states. In this example, eth0 can be considered as Internet and eth1 as LAN. Allow all connections from eth1 to other interfaces: -A FORWARD -m physdev --physdev-in eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT Use this to allow all ICMPv6-packets from eth1 to other interfaces, this includes : -A FORWARD -p ipv6-icmp -m physdev --physdev-in eth1 -j ACCEPT Use this command to allow only related and established connections from eth0 to other interfaces: -A FORWARD -m physdev --physdev-in eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT Use this to allow Neighbour advertisement/solicitaiton (type 136/135) (ARP in IPv4) from eth0 to other interfaces. -A FORWARD -m physdev --physdev-in eth0 -p ipv6-icmp -m icmpv6 --icmpv6-type 136 -j ACCEPT -A FORWARD -m physdev --physdev-in eth0 -p ipv6-icmp -m icmpv6 --icmpv6-type 135 -j ACCEPT -A FORWARD -j LOG -A FORWARD -j DROP List of ICMPv6 types on Wikipedia: http://en.wikipedia.org/wiki/ICMPv6 Atle. -- To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4D54016D.6010000@goliathdns.no">http://lists.debian.org/4D54016D.6010000@goliathdns.no |
Bug#612714: netfilter: fails to match state of IPv6 connections
Den 10. feb. 2011 08:04, skrev Nejc Å*koberne:
I tested this only by filtering bridged traffic. 5. The IPv6 packets, which should be forwarded are now dropped. ICMP ping packets matches RELATED-state, other ICMP-types might not match states. In this example, eth0 can be considered as Internet and eth1 as LAN. Allow all connections from eth1 to other interfaces: -A FORWARD -m physdev --physdev-in eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT Use this to allow all ICMPv6-packets from eth1 to other interfaces, this includes : -A FORWARD -p ipv6-icmp -m physdev --physdev-in eth1 -j ACCEPT Use this command to allow only related and established connections from eth0 to other interfaces: -A FORWARD -m physdev --physdev-in eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT Use this to allow Neighbour advertisement/solicitaiton (type 136/135) (ARP in IPv4) from eth0 to other interfaces. -A FORWARD -m physdev --physdev-in eth0 -p ipv6-icmp -m icmpv6 --icmpv6-type 136 -j ACCEPT -A FORWARD -m physdev --physdev-in eth0 -p ipv6-icmp -m icmpv6 --icmpv6-type 135 -j ACCEPT -A FORWARD -j LOG -A FORWARD -j DROP List of ICMPv6 types on Wikipedia: http://en.wikipedia.org/wiki/ICMPv6 Atle. -- To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4D540232.6010906@goliathdns.no">http://lists.debian.org/4D540232.6010906@goliathdns.no |
| All times are GMT. The time now is 02:30 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.