IPv6 state match in kernel 2.6.15 and iptables 1.3.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Heyho,

I was happy to see that kernel 2.6.15 and iptables 1.3.5
brought state match support for IPv6.
When giving it a try, it turned out *all* packets were classified
as being in INVALID state:

IN=ppp0 OUT=eth0 SRC=XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX \
	DST=XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX LEN=80 TC=0 \
	HOPLIMIT=55 FLOWLBL=0 PROTO=TCP SPT=14999 DPT=10110 \
	WINDOW=4880 RES=0x00 SYN URGP=0 OPT \
	(020404C40402080A4EBBF6990000000001030302)

I was logging those packets with this rule:

ip6tables -t filter -A FORWARD -m state --state INVALID \
	-j LOG --log-tcp-options --log-ip-options

Several other guys I asked to try this out at their sites
reported the same behaviour.

The following modules were loaded besides some IPv4 specific
ones at that time:

ip6_queue
ip6table_filter
ip6table_mangle
ip6table_raw
ip6_tables
ip6t_dst
ip6t_ipv6header
ip6t_LOG
ip6t_multiport
ip6t_REJECT
ip6t_rt
x_tables
xt_conntrack
xt_limit
xt_state
xt_tcpudp

The corresponding kernel config parts are:

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

#
# IPv6: Netfilter Configuration (EXPERIMENTAL)
#
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_POLICY=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m

Any ideas why the state matching doesn't actually work?

Thanks in advance.
-- 
Regards,
Wolfram Schlich <wschlich@xxxxxxxxxx>
Gentoo Linux * http://dev.gentoo.org/~wschlich/
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux