Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Kernel (http://www.linux-archive.org/debian-kernel/)
-   -   Bug#612714: netfilter: fails to match state of IPv6 connections (http://www.linux-archive.org/debian-kernel/487424-bug-612714-netfilter-fails-match-state-ipv6-connections.html)

Nejc Škoberne 02-10-2011 06:04 AM

Bug#612714: netfilter: fails to match state of IPv6 connections
 
Package: linux-2.6
Version: 2.6.32-30
Severity: normal
Tags: upstream ipv6


I tested this only by filtering bridged traffic.

How to repeat:

1. Set the IPv6 FORWARD default policy to DROP.
2. Add this rule:

ip6tables -A FORWARD -j ACCEPT

3. This way, the packets (neighbor discovery, ICMP ping ...) are not dropped.
4. We delete the previous rule and add this one:

ip6tables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

5. The IPv6 packets, which should be forwarded are now dropped.


For the record: if I test this with Lenny, the packets are forwarded if I match INVALID packets and accept them. In Squeeze even this doesn't seem to work.


-- Package-specific info:
** Version:
Linux version 2.6.32-5-amd64 (Debian 2.6.32-30) (ben@decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Wed Jan 12 03:40:32 UTC 2011

** Command line:
BOOT_IMAGE=/boot/vmlinuz-2.6.32-5-amd64 root=UUID=588f1832-95bb-4ea9-983e-f7fd257ddf70 ro quiet

Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)

-- debconf information:
linux-image-2.6.32-5-amd64/postinst/ignoring-do-bootloader-2.6.32-5-amd64:
linux-image-2.6.32-5-amd64/postinst/depmod-error-initrd-2.6.32-5-amd64: false
linux-image-2.6.32-5-amd64/prerm/removing-running-kernel-2.6.32-5-amd64: true
linux-image-2.6.32-5-amd64/postinst/missing-firmware-2.6.32-5-amd64:




--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D538E15.8090901@skoberne.net">http://lists.debian.org/4D538E15.8090901@skoberne.net

Atle Solbakken 02-10-2011 02:17 PM

Bug#612714: netfilter: fails to match state of IPv6 connections
 
Den 10. feb. 2011 08:04, skrev Nejc ┼*koberne:


I tested this only by filtering bridged traffic.


5. The IPv6 packets, which should be forwarded are now dropped.


ICMP ping packets matches RELATED-state, other ICMP-types might not
match states.


In this example, eth0 can be considered as Internet and eth1 as LAN.


Allow all connections from eth1 to other interfaces:
-A FORWARD -m physdev --physdev-in eth1 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT



Use this to allow all ICMPv6-packets from eth1 to other interfaces, this
includes :

-A FORWARD -p ipv6-icmp -m physdev --physdev-in eth1 -j ACCEPT


Use this command to allow only related and established connections from
eth0 to other interfaces:
-A FORWARD -m physdev --physdev-in eth0 -m state --state
RELATED,ESTABLISHED -j ACCEPT



Use this to allow Neighbour advertisement/solicitaiton (type 136/135)
(ARP in IPv4) from eth0 to other interfaces.
-A FORWARD -m physdev --physdev-in eth0 -p ipv6-icmp -m icmpv6
--icmpv6-type 136 -j ACCEPT
-A FORWARD -m physdev --physdev-in eth0 -p ipv6-icmp -m icmpv6
--icmpv6-type 135 -j ACCEPT



-A FORWARD -j LOG
-A FORWARD -j DROP

List of ICMPv6 types on Wikipedia: http://en.wikipedia.org/wiki/ICMPv6

Atle.


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D54016D.6010000@goliathdns.no">http://lists.debian.org/4D54016D.6010000@goliathdns.no

Atle Solbakken 02-10-2011 02:20 PM

Bug#612714: netfilter: fails to match state of IPv6 connections
 
Den 10. feb. 2011 08:04, skrev Nejc ┼*koberne:


I tested this only by filtering bridged traffic.


5. The IPv6 packets, which should be forwarded are now dropped.


ICMP ping packets matches RELATED-state, other ICMP-types might not
match states.


In this example, eth0 can be considered as Internet and eth1 as LAN.


Allow all connections from eth1 to other interfaces:
-A FORWARD -m physdev --physdev-in eth1 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT



Use this to allow all ICMPv6-packets from eth1 to other interfaces, this
includes :

-A FORWARD -p ipv6-icmp -m physdev --physdev-in eth1 -j ACCEPT


Use this command to allow only related and established connections from
eth0 to other interfaces:
-A FORWARD -m physdev --physdev-in eth0 -m state --state
RELATED,ESTABLISHED -j ACCEPT



Use this to allow Neighbour advertisement/solicitaiton (type 136/135)
(ARP in IPv4) from eth0 to other interfaces.
-A FORWARD -m physdev --physdev-in eth0 -p ipv6-icmp -m icmpv6
--icmpv6-type 136 -j ACCEPT
-A FORWARD -m physdev --physdev-in eth0 -p ipv6-icmp -m icmpv6
--icmpv6-type 135 -j ACCEPT



-A FORWARD -j LOG
-A FORWARD -j DROP

List of ICMPv6 types on Wikipedia: http://en.wikipedia.org/wiki/ICMPv6

Atle.



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D540232.6010906@goliathdns.no">http://lists.debian.org/4D540232.6010906@goliathdns.no


All times are GMT. The time now is 11:39 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.