Bug 567 – Local multicast ICMPv6 and --state INVALID

First Last Prev Next No search results available

Details

Summary:

Local multicast ICMPv6 and --state INVALID

Bug#:	567
Product:	netfilter/iptables
Component:	unknown
Status:	RESOLVED
Resolution:	FIXED

Hardware:	All
OS:	All
Version:	linux-2.6.x
Priority:	P1
Severity:	blocker

URL:

Depends on:

Blocks:

Show dependency tree - Show dependency graph

People

Reporter:	Victor Stinner <vstinner@inl.fr>
Assigned To:	Harald Welte <laforge@netfilter.org>

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Related actions

Description:	Opened: 2009-01-09 15:55

Hi,

I'm trying to setup strict INPUT firewall rules on my computer but I have a
problem with IPv6: multicast ICMPv6 packets are dropped because they are
detected as invalid. Example:

  ip6tables -A INPUT  -m state --state INVALID -j LOG --log-prefix "Drop
INVALID INPUT"
  ip6tables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Drop
INVALID OUTPUT"

Example of dropped packets:

Jan  9 15:31:32 lisa kernel: [5169594.063033] Drop INVALID INPUT IN=eth0 OUT=
MAC=33:33:00:00:00:01:00:07:cb:3c:ed:d8:86:dd
SRC=fe80:0000:0000:0000:0207:cbff:fe3c:edd8
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=144 TC=0 HOPLIMIT=255 FLOWLBL=0
PROTO=ICMPv6 TYPE=134 CODE=0

Jan  9 15:31:33 lisa kernel: [5169595.352014] Drop INVALID OUTPUT IN= OUT=eth0
SRC=fe80:0000:0000:0000:0221:85ff:fe11:6da0
DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0
PROTO=ICMPv6 TYPE=143 CODE=0

The first packet is a Router advertisement (ICMPv6 type 134) sent by my
Internet box (Freebox) to my computer. The second packet is a Multicast
Listener Report Message v2 (ICMPv6 type 143) send by my computer to the local
multicast group. Addresses ff02::1 and ff02::16 part of ff02::/112, multicast
with scope=2 (link).

I tested on:
 - Ubuntu Gutsy, kernel 2.6.22, i386, ip6tables 1.3.6
 - Ubuntu Ibex, kernel 2.6.27, x86_64, ip6tables 1.4.0

Is it a bug? Or should I load/install an extra kernel/iptables module?

Victor Stinner
http://www.inl.fr/

------- Comment #1 From Eric Leblond 2009-01-18 13:48:28 -------

This is a bug. The icmpv6 connection tracking module does not support RFC 4681
and RFC 3810. I've cooked some patches fixing this and I will soon release
them.

------- Comment #2 From Pablo Neira Ayuso 2009-01-18 22:11:37 -------

(In reply to comment #1)
> This is a bug. The icmpv6 connection tracking module does not support RFC 4681
> and RFC 3810. I've cooked some patches fixing this and I will soon release
> them.

Please, see:

http://marc.info/?l=netfilter-devel&m=122587864120868&w=2

------- Comment #3 From Eric Leblond 2009-01-19 22:58:11 -------

(In reply to comment #2)
> (In reply to comment #1)
> > This is a bug. The icmpv6 connection tracking module does not support RFC 4681
> > and RFC 3810. I've cooked some patches fixing this and I will soon release
> > them.
> 
> Please, see:
> 
> http://marc.info/?l=netfilter-devel&m=122587864120868&w=2

My initial solution was relatively near from these mail I've missed and I came
to a conclusion similar to Yasuyuki after some more tests of my patches. The
problem is really complicated here and I don't think even an helper could be
help because as said Yasuyuki there is no real connection. Maybe we could use a
complex invert function but it may be only an insecure workaround.

------- Comment #4 From Victor Stinner 2009-01-20 00:22:01 -------

ICMPv6 types 133 (Router solicitation) and 134 (Router advertisement) are
described in the RFC 2461.

------- Comment #5 From Eric Leblond 2009-01-28 13:01:17 -------

A patch fixing this has been applied by Patrick Mchardy to his git tree.

See http://marc.info/?l=netfilter-devel&m=123306823804829&w=2

First Last Prev Next No search results available