Hey, I have a setup that has one machine communicating to a server using UDP over IPv6. For specifics, it is using collectd with a boosted MaxPacketSize in the network config. What this means is there is some IP fragmentation happening, and that is getting REJECTed. My policy is to REJECT, and I have an ALLOW for the particular communication I want. What I''m getting in my logs is (I''ve logged the ACCEPT rule for clarity): Dec 4 16:11:19 xxxx kernel: [67682.239124] Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0 SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63 FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826 LEN=1905 Dec 4 16:11:19 xxxx kernel: [67682.239148] Shorewall:int2dmz:REJECT:IN=br1 OUT=br0 SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63 FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP The rule I have is: ACCEPT:info int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ udp 25826 Does anyone have any ideas on how I can ALLOW this fragmentation? May be a red herring, but if I go over IPv4, I don''t get the same REJECT, and it appears the data is getting sent. Many thanks for any responses. Cheers, Hugh ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/3/12 7:19 PM, Hugh Davenport wrote:> Hey, > > I have a setup that has one machine communicating to a server using UDP > over IPv6. For specifics, it is using collectd with a boosted > MaxPacketSize in the network config. > > What this means is there is some IP fragmentation happening, and that > is getting REJECTed. My policy is to REJECT, and I have an ALLOW for the > particular communication I want. What I''m getting in my logs is (I''ve > logged the ACCEPT rule for clarity): > > Dec 4 16:11:19 xxxx kernel: [67682.239124] > Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0 > SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx > DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63 > FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826 > LEN=1905 > Dec 4 16:11:19 xxxx kernel: [67682.239148] > Shorewall:int2dmz:REJECT:IN=br1 OUT=br0 > SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx > DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63 > FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP > > The rule I have is: > ACCEPT:info int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ > > dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ > udp 25826 > > > Does anyone have any ideas on how I can ALLOW this fragmentation?As I understand the traffic on Netfilter-devel, unless you are running a recent 3.5+ kernel, IPv6 fragment handling in IPv6 is quite broken in Netfilter. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 2012-12-04 16:51, Tom Eastep wrote:> On 12/3/12 7:19 PM, Hugh Davenport wrote: >> Hey, >> >> I have a setup that has one machine communicating to a server using >> UDP >> over IPv6. For specifics, it is using collectd with a boosted >> MaxPacketSize in the network config. >> >> What this means is there is some IP fragmentation happening, and that >> is getting REJECTed. My policy is to REJECT, and I have an ALLOW for >> the >> particular communication I want. What I''m getting in my logs is (I''ve >> logged the ACCEPT rule for clarity): >> >> Dec 4 16:11:19 xxxx kernel: [67682.239124] >> Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0 >> SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx >> DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63 >> FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826 >> LEN=1905 >> Dec 4 16:11:19 xxxx kernel: [67682.239148] >> Shorewall:int2dmz:REJECT:IN=br1 OUT=br0 >> SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx >> DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63 >> FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP >> >> The rule I have is: >> ACCEPT:info int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ >> >> dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ >> udp 25826 >> >> >> Does anyone have any ideas on how I can ALLOW this fragmentation? > > As I understand the traffic on Netfilter-devel, unless you are running > a > recent 3.5+ kernel, IPv6 fragment handling in IPv6 is quite broken in > Netfilter.Awesome, thanks for that, will look forward to a future kernel upgrade and use IPv4 in the mean time ;) Cheers, Hugh> > -Tom > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add > services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d