IPv6 netfilter state matching: Invalid packets

Discussion in 'Linux Networking' started by Lukas Barth, Dec 31, 2008.

  1. Lukas Barth

    Lukas Barth Guest

    Hi,

    I set up my LAN for IPv6 via a sixxs-tunnel. The machine on which the
    tunnel ends, and which should perform the routing, seems to have a
    problem: If I do not allow packets which are considered "Invalid",
    neither routing nor "normal input" does not work. So this setup:

    ip6tables -P FORWARD DROP
    ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    ip6tables -A FORWARD -m state --state NEW -s $MYIP6NET -j ACCEPT

    has to be extended with:

    ip6tables -A FORWARD -m state --state INVALID -j ACCEPT

    for anything to work. Here is an excerpt from my syslog with a -j LOG for
    invalid packets[0] (sixxs is the sixxs-tunnelinterface, v6tinnet is an
    interface that tunnels into another part of my network):

    Dec 31 16:21:05 bluebox kernel: Invalid: IN=v6tinnet OUT=sixxs
    SRC=2a01:0198:XXXX:0000:0000:0000:0000:XXXX
    DST=2001:0838:0001:0001:0210:dcff:fe20:7c7c LEN=80 TC=0 HOPLIMIT=62
    FLOWLBL=0 PROTO=TCP SPT=43034 DPT=80
    SEQ=3464074086 ACK=0 WINDOW=5760 RES=0x00 SYN URGP=0
    Dec 31 16:21:06 bluebox kernel: Invalid: IN=sixxs OUT=v6tinnet
    SRC=2001:0838:0001:0001:0210:dcff:fe20:7c7c
    DST=2a01:0198:XXXX:0000:0000:0000:0000:XXXX LEN=80 TC=0 HOPLIMIT=55
    FLOWLBL=0 PROTO=TCP SPT=80 DPT=43034
    SEQ=1498347806 ACK=3464074087 WINDOW=5712 RES=0x00 ACK SYN URGP=0
    Dec 31 16:21:06 bluebox kernel: Invalid: IN=v6tinnet OUT=sixxs
    SRC=2a01:0198:XXXX:0000:0000:0000:0000:XXXX
    DST=2001:0838:0001:0001:0210:dcff:fe20:7c7c LEN=72 TC=0 HOPLIMIT=62
    FLOWLBL=0 PROTO=TCP SPT=43034 DPT=80
    SEQ=3464074087 ACK=1498347807 WINDOW=45 RES=0x00 ACK URGP=0
    Dec 31 16:21:06 bluebox kernel: Invalid: IN=v6tinnet OUT=sixxs
    SRC=2a01:0198:XXXX:0000:0000:0000:0000:XXXX
    DST=2001:0838:0001:0001:0210:dcff:fe20:7c7c LEN=527 TC=0 HOPLIMIT=62
    FLOWLBL=0 PROTO=TCP SPT=43034 DPT=80
    SEQ=3464074087 ACK=1498347807 WINDOW=45 RES=0x00 ACK PSH URGP=0
    Dec 31 16:21:06 bluebox kernel: Invalid: IN=sixxs OUT=v6tinnet
    SRC=2001:0838:0001:0001:0210:dcff:fe20:7c7c
    DST=2a01:0198:XXXX:0000:0000:0000:0000:XXXX LEN=72 TC=0 HOPLIMIT=55
    FLOWLBL=0 PROTO=TCP SPT=80 DPT=43034
    SEQ=1498347807 ACK=3464074542 WINDOW=14 RES=0x00 ACK URGP=0
    Dec 31 16:21:06 bluebox kernel: Invalid: IN=sixxs OUT=v6tinnet
    SRC=2001:0838:0001:0001:0210:dcff:fe20:7c7c
    DST=2a01:0198:XXXX:0000:0000:0000:0000:XXXX LEN=1280 TC=0 HOPLIMIT=55
    FLOWLBL=0 PROTO=TCP SPT=80 DPT=4303
    4 SEQ=1498349235 ACK=3464074542 WINDOW=14 RES=0x00 ACK URGP=0
    Dec 31 16:21:06 bluebox kernel: Invalid: IN=v6tinnet OUT=sixxs
    SRC=2a01:0198:XXXX:0000:0000:0000:0000:XXXX
    DST=2001:0838:0001:0001:0210:dcff:fe20:7c7c LEN=72 TC=0 HOPLIMIT=62
    FLOWLBL=0 PROTO=TCP SPT=43034 DPT=80
    SEQ=3464075011 ACK=1498355577 WINDOW=234 RES=0x00 ACK URGP=0

    As you can see from the sequence numbers, it seems like *all* packets are
    considered invalid. Does anyone have any ideas?

    Lukas

    [0] Note that I replaced parts of my private IP with Xs so that noone
    tries to "exploit" the fact that I may be allowing invalid packets at the
    moment. ;-)
     
    Lukas Barth, Dec 31, 2008
    #1
    1. Advertisements

  2. Connection tracking is still a work in progress for IPv6 in netfilter.
    In other words, it's broken.
    It can't tell the difference between NEW and INVALID, at the very least.
     
    Allen Kistler, Dec 31, 2008
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.