IPv6 netfilter state matching: Invalid packets

Hi,

I set up my LAN for IPv6 via a sixxs-tunnel. The machine on which the
tunnel ends, and which should perform the routing, seems to have a
problem: If I do not allow packets which are considered "Invalid",
neither routing nor "normal input" does not work. So this setup:

ip6tables -P FORWARD DROP
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state NEW -s $MYIP6NET -j ACCEPT

has to be extended with:

ip6tables -A FORWARD -m state --state INVALID -j ACCEPT

for anything to work. Here is an excerpt from my syslog with a -j LOG for
invalid packets[0] (sixxs is the sixxs-tunnelinterface, v6tinnet is an
interface that tunnels into another part of my network):

Dec 31 16:21:05 bluebox kernel: Invalid: IN=v6tinnet OUT=sixxs
SRC=2a01:0198:XXXX:0000:0000:0000:0000:XXXX
DST=2001:0838:0001:0001:0210:dcff:fe20:7c7c LEN=80 TC=0 HOPLIMIT=62
FLOWLBL=0 PROTO=TCP SPT=43034 DPT=80
SEQ=3464074086 ACK=0 WINDOW=5760 RES=0x00 SYN URGP=0
Dec 31 16:21:06 bluebox kernel: Invalid: IN=sixxs OUT=v6tinnet
SRC=2001:0838:0001:0001:0210:dcff:fe20:7c7c
DST=2a01:0198:XXXX:0000:0000:0000:0000:XXXX LEN=80 TC=0 HOPLIMIT=55
FLOWLBL=0 PROTO=TCP SPT=80 DPT=43034
SEQ=1498347806 ACK=3464074087 WINDOW=5712 RES=0x00 ACK SYN URGP=0
Dec 31 16:21:06 bluebox kernel: Invalid: IN=v6tinnet OUT=sixxs
SRC=2a01:0198:XXXX:0000:0000:0000:0000:XXXX
DST=2001:0838:0001:0001:0210:dcff:fe20:7c7c LEN=72 TC=0 HOPLIMIT=62
FLOWLBL=0 PROTO=TCP SPT=43034 DPT=80
SEQ=3464074087 ACK=1498347807 WINDOW=45 RES=0x00 ACK URGP=0
Dec 31 16:21:06 bluebox kernel: Invalid: IN=v6tinnet OUT=sixxs
SRC=2a01:0198:XXXX:0000:0000:0000:0000:XXXX
DST=2001:0838:0001:0001:0210:dcff:fe20:7c7c LEN=527 TC=0 HOPLIMIT=62
FLOWLBL=0 PROTO=TCP SPT=43034 DPT=80
SEQ=3464074087 ACK=1498347807 WINDOW=45 RES=0x00 ACK PSH URGP=0
Dec 31 16:21:06 bluebox kernel: Invalid: IN=sixxs OUT=v6tinnet
SRC=2001:0838:0001:0001:0210:dcff:fe20:7c7c
DST=2a01:0198:XXXX:0000:0000:0000:0000:XXXX LEN=72 TC=0 HOPLIMIT=55
FLOWLBL=0 PROTO=TCP SPT=80 DPT=43034
SEQ=1498347807 ACK=3464074542 WINDOW=14 RES=0x00 ACK URGP=0
Dec 31 16:21:06 bluebox kernel: Invalid: IN=sixxs OUT=v6tinnet
SRC=2001:0838:0001:0001:0210:dcff:fe20:7c7c
DST=2a01:0198:XXXX:0000:0000:0000:0000:XXXX LEN=1280 TC=0 HOPLIMIT=55
FLOWLBL=0 PROTO=TCP SPT=80 DPT=4303
4 SEQ=1498349235 ACK=3464074542 WINDOW=14 RES=0x00 ACK URGP=0
Dec 31 16:21:06 bluebox kernel: Invalid: IN=v6tinnet OUT=sixxs
SRC=2a01:0198:XXXX:0000:0000:0000:0000:XXXX
DST=2001:0838:0001:0001:0210:dcff:fe20:7c7c LEN=72 TC=0 HOPLIMIT=62
FLOWLBL=0 PROTO=TCP SPT=43034 DPT=80
SEQ=3464075011 ACK=1498355577 WINDOW=234 RES=0x00 ACK URGP=0

As you can see from the sequence numbers, it seems like *all* packets are
considered invalid. Does anyone have any ideas?

Lukas

[0] Note that I replaced parts of my private IP with Xs so that noone
tries to "exploit" the fact that I may be allowing invalid packets at the
moment. ;-)

Lukas Barth wrote:
> Hi,
>
> I set up my LAN for IPv6 via a sixxs-tunnel. The machine on which the
> tunnel ends, and which should perform the routing, seems to have a
> problem: If I do not allow packets which are considered "Invalid",
> neither routing nor "normal input" does not work. So this setup:
>
> ip6tables -P FORWARD DROP
> ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> ip6tables -A FORWARD -m state --state NEW -s $MYIP6NET -j ACCEPT
>
> has to be extended with:
>
> ip6tables -A FORWARD -m state --state INVALID -j ACCEPT
>
> for anything to work. Here is an excerpt from my syslog with a -j LOG for
> invalid packets[0] (sixxs is the sixxs-tunnelinterface, v6tinnet is an
> interface that tunnels into another part of my network):
>
> {snip]

Connection tracking is still a work in progress for IPv6 in netfilter.
In other words, it's broken.
It can't tell the difference between NEW and INVALID, at the very least.