[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 02955) Re: [netfilter] problem with icmpv6 and connection tracking

To: Usagi Users ML <usagi-users@xxxxxxxxxxxxxx>
Subject: (usagi-users 02955) Re: [netfilter] problem with icmpv6 and connection tracking
From: Fabio Massimo Di Nitto <fabbione@xxxxxxxxxxxx>
Date: Wed, 19 May 2004 16:06:02 +0200 (CEST)
In-reply-to: <200405191142.UAA26150@toshiba.co.jp>
References: <Pine.LNX.4.58.0405190933220.3846@trider-g7.ext.fabbione.net> <200405191142.UAA26150@toshiba.co.jp>
Reply-to: usagi-users@xxxxxxxxxxxxxx
Sender: fabbione@xxxxxxxxxxxx

Hi,

On Wed, 19 May 2004, Yasuyuki Kozakai wrote:

> > gundam:~# ping6 trider-g7
> > PING trider-g7(trider-g7.fabbione.net) 56 data bytes
> > 64 bytes from trider-g7.fabbione.net: icmp_seq=4 ttl=64 time=1999 ms
> > 64 bytes from trider-g7.fabbione.net: icmp_seq=5 ttl=64 time=999 ms
> >
> > --- trider-g7 ping statistics ---
> > 7 packets transmitted, 2 received, 71% packet loss, time 5998ms
> > rtt min/avg/max/mdev = 999.969/1499.891/1999.813/499.922 ms, pipe 3
>
> With your rule, almost ICMPv6 packets for DAD, Address Auto Configuration,
> and so on are dropped. Because the packets to multicast address are not
> tracked.
>
> I think these ICMPv6 packets should not be filtered.
>
> > gundam:~# ping6 trider-g7
> > PING trider-g7(trider-g7.fabbione.net) 56 data bytes
> > From ::1 icmp_seq=1 Destination unreachable: Address unreachable
> > From ::1 icmp_seq=2 Destination unreachable: Address unreachable
>
> "state" of these echo-request from ::1 to ::1 are NEW, then dropped with
> your rules.
>
> How about adding this rule ?
> 	ip6tables -A INPUT -i lo -j ACCEPT
>

sorry probably I was not clear describing the setup, but gundam is running
the firewall. trider-g7 accepts everything at the moment.

So ping6 goes out from gundam (there are no OUTPUT filters), hits
trider-g7 (that answers back since there are no filters and verified with
tcpdump).
the problem occours when the packet hits back gundam and the INPUT filter.
At that point the connection should be known to gundam and that would
explain partially ping6 like this one:

gundam# ping6 trider-g7
PING trider-g7(trider-g7.fabbione.net) 56 data bytes
64 bytes from trider-g7.fabbione.net: icmp_seq=7 ttl=64 time=1999 ms
64 bytes from trider-g7.fabbione.net: icmp_seq=8 ttl=64 time=999 ms
From ip6-localhost icmp_seq=9 Destination unreachable: Address unreachable
From ip6-localhost icmp_seq=10 Destination unreachable: Address unreachable
From ip6-localhost icmp_seq=11 Destination unreachable: Address unreachable

What i think it is a bug is the fact that some packets can come back and
others can't.

Adding the rule you suggested didn't help sorry.

Thanks!
Fabio

-- 
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.

References:
- (usagi-users 02953) [netfilter] problem with icmpv6 and connection tracking
  - From: Fabio Massimo Di Nitto
- (usagi-users 02954) Re: [netfilter] problem with icmpv6 and connection tracking
  - From: Yasuyuki Kozakai

Prev by Date: (usagi-users 02954) Re: [netfilter] problem with icmpv6 and connection tracking
Next by Date: (usagi-users 02956) Re: [netfilter] problem with icmpv6 and connection tracking
Previous by thread: (usagi-users 02954) Re: [netfilter] problem with icmpv6 and connection tracking
Next by thread: (usagi-users 02956) Re: [netfilter] problem with icmpv6 and connection tracking
Index(es):
- Date
- Thread