Re: IPv6: unknown packet logged ...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 22/08/2017 16:42, Walter H. wrote:

Hello,

I have these rules at the beginning of /etc/sysconfig/ip6tables

# Filter all packets with state INVALID
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP

and on bottom these rules:

# Log all other
-A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
-A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
-A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7

which rule would have catched these logged packets:

[70223.386265] IPv6[FWD]: IN=sit1 OUT=br0
SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
RES=0x00 ACK PSH URGP=0
[70232.150311] IPv6[FWD]: IN=sit1 OUT=br0
SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
RES=0x00 ACK PSH URGP=0
[70249.740932] IPv6[FWD]: IN=sit1 OUT=br0
SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
RES=0x00 ACK PSH URGP=0
those logged packets are from packets traversing your filter FORWARD chain obviously no rule is matching which is why its triggering the last rule which is 

-A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux