bugzilla-daemon at bugzilla.netfilter.org
2011-Aug-29 03:04 UTC
[Bug 742] New: ip6tables "-m iprange" ipv6 range detection
http://bugzilla.netfilter.org/show_bug.cgi?id=742
Summary: ip6tables "-m iprange" ipv6 range detection
Product: netfilter/iptables
Version: linux-2.6.x
Platform: x86_64
OS/Version: SuSE Linux
Status: NEW
Severity: critical
Priority: P5
Component: ip6_tables (kernel)
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: mailxiening at gmail.com
Estimated Hours: 0.0
I am using ip6tables to allow/disallow connection from clients with specific IP
address.
My client's IPv6 address is "fe80::e91b:befe:97dc:9df5".
The "-m iprange --src-range" detects the client is in or out of the
specified
range as follows.
I create the rules and set log prefix.
ip6tables -I INPUT -m iprange --src-range 1000::0-ffff::0 -j LOG --log-level 7
--log-prefix "1000"
ip6tables -I INPUT -m iprange --src-range 2000::0-ffff::0 -j LOG --log-level 7
--log-prefix "2000"
ip6tables -I INPUT -m iprange --src-range 3000::0-ffff::0 -j LOG --log-level 7
--log-prefix "3000"
ip6tables -I INPUT -m iprange --src-range 4000::0-ffff::0 -j LOG --log-level 7
--log-prefix "4000"
ip6tables -I INPUT -m iprange --src-range 5000::0-ffff::0 -j LOG --log-level 7
--log-prefix "5000"
ip6tables -I INPUT -m iprange --src-range 6000::0-ffff::0 -j LOG --log-level 7
--log-prefix "6000"
ip6tables -I INPUT -m iprange --src-range 7000::0-ffff::0 -j LOG --log-level 7
--log-prefix "7000"
ip6tables -I INPUT -m iprange --src-range 8000::0-ffff::0 -j LOG --log-level 7
--log-prefix "8000"
ip6tables -I INPUT -m iprange --src-range 9000::0-ffff::0 -j LOG --log-level 7
--log-prefix "9000"
ip6tables -I INPUT -m iprange --src-range a000::0-ffff::0 -j LOG --log-level 7
--log-prefix "a000"
ip6tables -I INPUT -m iprange --src-range b000::0-ffff::0 -j LOG --log-level 7
--log-prefix "b000"
ip6tables -I INPUT -m iprange --src-range c000::0-ffff::0 -j LOG --log-level 7
--log-prefix "c000"
ip6tables -I INPUT -m iprange --src-range d000::0-ffff::0 -j LOG --log-level 7
--log-prefix "d000"
ip6tables -I INPUT -m iprange --src-range e000::0-ffff::0 -j LOG --log-level 7
--log-prefix "e000"
ip6tables -I INPUT -m iprange --src-range f000::0-ffff::0 -j LOG --log-level 7
--log-prefix "f000"
In log file /var/log/firewall in OpenSUSE11.1. The log for one connection
request is
117 Aug 28 20:01:46 alpine5 kernel: f000IN=eth0
OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
118 Aug 28 20:01:46 alpine5 kernel: e000IN=eth0
OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
119 Aug 28 20:01:46 alpine5 kernel: d000IN=eth0
OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
120 Aug 28 20:01:46 alpine5 kernel: c000IN=eth0
OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
121 Aug 28 20:01:46 alpine5 kernel: b000IN=eth0
OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
122 Aug 28 20:01:46 alpine5 kernel: a000IN=eth0
OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
123 Aug 28 20:01:46 alpine5 kernel: 9000IN=eth0
OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
124 Aug 28 20:01:46 alpine5 kernel: 8000IN=eth0
OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
It means firewall detects the client ip address fe80::e91b:befe:97dc:9df5 is in
8000::0-ffff::0, 9000::0-ffff::0, a000::0-ffff::0, b000::0-ffff::0,
c000::0-ffff::0, d000::0-ffff::0, e000::0-ffff::0, f000::0-ffff::0
and is out of:
1000::0-ffff::0, 2000::0-ffff::0, 3000::0-ffff::0, 4000::0-ffff::0,
5000::0-ffff::0, 6000::0-ffff::0, 7000::0-ffff::0
What is the algorithm used to detect the range and how can I set ip6tables to
make the client address are detected as in all the ranges?
Similar test indicates the client ip address is in
7fff::0-ffff::0, 8fff::0-ffff::0, 9fff::0-ffff::0, afff::0-ffff::0,
bfff::0-ffff::0, cfff::0-ffff::0, dfff::0-ffff::0, efff::0-ffff::0
7fff::0-ffff::0, 7eff::0-ffff::0,
and is out of:
0fff::0-ffff::0, 1fff::0-ffff::0, 2fff::0-ffff::0, 3fff::0-ffff::0,
4fff::0-ffff::0, 5fff::0-ffff::0, 6fff::0-ffff::0
7dff::0-ffff::0, 7cff::0-ffff::0, 7bff::0-ffff::0, 7aff::0-ffff::0,
79ff::0-ffff::0, 78ff::0-ffff::0, 77ff::0-ffff::0, 76ff::0-ffff::0,
75ff::0-ffff::0, 74ff::0-ffff::0, 73ff::0-ffff::0, 72ff::0-ffff::0,
71ff::0-ffff::0, 70ff::0-ffff::0,
Best regards.
ning
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Sep-03 13:19 UTC
[Bug 742] ip6tables "-m iprange" ipv6 range detection
http://bugzilla.netfilter.org/show_bug.cgi?id=742
Jan Engelhardt <jengelh at medozas.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jengelh at medozas.de
AssignedTo|netfilter- |jengelh at medozas.de
|buglog at lists.netfilter.org |
--- Comment #1 from Jan Engelhardt <jengelh at medozas.de> 2011-09-03
15:19:50 ---
openSUSE 11.1 is no longer a supported version.
The bug was fixed in commit v2.6.37-3906-g08b5194 (for 2.6.38), so
unfortunately it persists across openSUSE 11.4. You probably need
to talk to the bugzilla people there, but somehow I do not expect
them to do an update just because of this one patch.
You could use the 3.0 kernel from OBS in the interim, though
I do not know how that fares with 11.1 (works ok in 11.4).
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Sep-03 13:20 UTC
[Bug 742] ip6tables "-m iprange" ipv6 range detection
http://bugzilla.netfilter.org/show_bug.cgi?id=742
Jan Engelhardt <jengelh at medozas.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Maybe Matching Threads
- Samba and ufw (mmcg29440@frontier.com)
- [Bug 761] New: Bug in ICMPv6 type and code fields processing
- GeForce 6100 (NV4E) & nouveau regression in 3.12
- [Bug 448] New: IPv6 conntrack does not work on a tunnel interface
- [Bug 576] New: ip6tables maks auto configuration packages as INVALID