Due to abuse by spammers, please send an email to bugzilla-account@netfilter.org to request an account to report bugs, sorry for the inconvenience.
Bug 1543 - Reverse path filtering with fib breaks IPv6 duplicate address detection
Summary: Reverse path filtering with fib breaks IPv6 duplicate address detection
Status: RESOLVED FIXED
Alias: None
Product: nftables
Classification: Unclassified
Component: kernel (show other bugs)
Version: unspecified
Hardware: All All
: P5 minor
Assignee: Pablo Neira Ayuso
URL:
Depends on:
Blocks:
 
Reported: 2021-06-06 21:31 CEST by Lasse Collin
Modified: 2021-06-17 23:50 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lasse Collin 2021-06-06 21:31:19 CEST
I tested with Linux 5.12.5-arch1-1 from Arch Linux. Using the following for reverse path filtering breaks IPv6 duplicate address detection:

table inet ip46_firewall {
    chain ip46_rpfilter {
        type filter hook prerouting priority raw;
        fib saddr . iif oif missing log prefix "RPFILTER: " drop
    }
}

This is because packets from :: to ff02::1:ff00/104 will be dropped and thus other hosts on the network cannot detect that this host already has the same address assigned. The problem can be worked around in nft rules by handling such packets specially but I guess it should work as is.

In the kernel in ip6t_rpfilter.c the function rpfilter_mt() checks for saddrtype == IPV6_ADDR_ANY. nft_fib_ipv6.c doesn't seem to have an equivalent check for this special case.

I don't know enough about the topic to say if all packets with the source address :: should be allowed like ip6t_rpfilter.c does. Allowing just :: -> ff02::1:ff00/104 would be enough to make duplicate address detection work.