Hey,
I have a setup that has one machine communicating to a server using UDP
over IPv6. For specifics, it is using collectd with a boosted
MaxPacketSize in the network config.
What this means is there is some IP fragmentation happening, and that
is getting REJECTed. My policy is to REJECT, and I have an ALLOW for the
particular communication I want. What I''m getting in my logs is
(I''ve
logged the ACCEPT rule for clarity):
Dec 4 16:11:19 xxxx kernel: [67682.239124]
Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0
SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63
FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826
LEN=1905
Dec 4 16:11:19 xxxx kernel: [67682.239148]
Shorewall:int2dmz:REJECT:IN=br1 OUT=br0
SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63
FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP
The rule I have is:
ACCEPT:info int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \
dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \
udp 25826
Does anyone have any ideas on how I can ALLOW this fragmentation?
May be a red herring, but if I go over IPv4, I don''t get the same
REJECT, and it appears the data is getting sent.
Many thanks for any responses.
Cheers,
Hugh
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
On 12/3/12 7:19 PM, Hugh Davenport wrote:> Hey, > > I have a setup that has one machine communicating to a server using UDP > over IPv6. For specifics, it is using collectd with a boosted > MaxPacketSize in the network config. > > What this means is there is some IP fragmentation happening, and that > is getting REJECTed. My policy is to REJECT, and I have an ALLOW for the > particular communication I want. What I''m getting in my logs is (I''ve > logged the ACCEPT rule for clarity): > > Dec 4 16:11:19 xxxx kernel: [67682.239124] > Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0 > SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx > DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63 > FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826 > LEN=1905 > Dec 4 16:11:19 xxxx kernel: [67682.239148] > Shorewall:int2dmz:REJECT:IN=br1 OUT=br0 > SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx > DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63 > FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP > > The rule I have is: > ACCEPT:info int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ > > dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ > udp 25826 > > > Does anyone have any ideas on how I can ALLOW this fragmentation?As I understand the traffic on Netfilter-devel, unless you are running a recent 3.5+ kernel, IPv6 fragment handling in IPv6 is quite broken in Netfilter. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 2012-12-04 16:51, Tom Eastep wrote:> On 12/3/12 7:19 PM, Hugh Davenport wrote: >> Hey, >> >> I have a setup that has one machine communicating to a server using >> UDP >> over IPv6. For specifics, it is using collectd with a boosted >> MaxPacketSize in the network config. >> >> What this means is there is some IP fragmentation happening, and that >> is getting REJECTed. My policy is to REJECT, and I have an ALLOW for >> the >> particular communication I want. What I''m getting in my logs is (I''ve >> logged the ACCEPT rule for clarity): >> >> Dec 4 16:11:19 xxxx kernel: [67682.239124] >> Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0 >> SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx >> DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63 >> FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826 >> LEN=1905 >> Dec 4 16:11:19 xxxx kernel: [67682.239148] >> Shorewall:int2dmz:REJECT:IN=br1 OUT=br0 >> SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx >> DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63 >> FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP >> >> The rule I have is: >> ACCEPT:info int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ >> >> dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ >> udp 25826 >> >> >> Does anyone have any ideas on how I can ALLOW this fragmentation? > > As I understand the traffic on Netfilter-devel, unless you are running > a > recent 3.5+ kernel, IPv6 fragment handling in IPv6 is quite broken in > Netfilter.Awesome, thanks for that, will look forward to a future kernel upgrade and use IPv4 in the mean time ;) Cheers, Hugh> > -Tom > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add > services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d