Re: IPv6 Parameter problem with no ICMPv6 response ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Feb 05, 2018 at 01:16:08PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Feb 05, 2018 at 01:58:26PM +1000, David McCullough wrote:
> > 
> > Hi devel,
> > 
> > I am looking for some feedback on IPv6 behaviour with/without netfilter in
> > the path.  We are in process of some IPv6 certification at a lab.
> > 
> > RFC2460 has a bunch of conditions under which certain ICMPv6 responses
> > should be sent.  This is even commented in the code.
> > 
> > linux/net/ipv6/reassembly.c:255
> >                 /* Check if the fragment is rounded to 8 bytes.
> >                  * Required by the RFC.
> >                  */
> >                 if (end & 0x7) {
> >                         /* RFC2460 says always send parameter problem in
> >                          * this case. -DaveM
> >                          */
> >                         __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
> >                                         IPSTATS_MIB_INHDRERRORS);
> >                         icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
> >                                           offsetof(struct ipv6hdr, payload_len));                       
> >                         return -1;
> >                 }
> > 
> > linux/net/ipv6/netfilter/nf_conntrack_reasm.c:259
> >                 /* Check if the fragment is rounded to 8 bytes.
> >                  * Required by the RFC.
> >                  */
> >                 if (end & 0x7) {
> >                         /* RFC2460 says always send parameter problem in
> >                          * this case. -DaveM
> >                          */
> >                         pr_debug("end of fragment not rounded to 8 bytes.\n");
> >                         return -1;      
> >                 }
> > 
> > The behaviour of the non-netfilter code is what the certification is expecting.
> > We are using conntracking though and I can see no way to avoid the above
> > netfilter code from silently dropping the packet and not responding correctly.
> > 
> > We experiemented with the patch below and it provided the appropriate
> > responses but we were not sure this is the best approach.  Happy to send in
> > a proper patch if this looks ok.
> 
> Probably you're refering to this fix?
> 
> commit 83f1999caeb14e15df205e80d210699951733287
> Author: Subash Abhinov Kasiviswanathan <subashab@xxxxxxxxxxxxxx>
> Date:   Fri Jan 12 17:36:27 2018 -0700
> 
>     netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460

You will also need this follow up amendment on top of it:

commit ea23d5e3bf340e413b8e05c13da233c99c64142b
Author: Subash Abhinov Kasiviswanathan <subashab@xxxxxxxxxxxxxx>
Date:   Wed Jan 31 04:50:01 2018 -0700

    netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux