bugzilla-daemon at netfilter.org
2013-Jul-26 00:12 UTC
[Bug 663] Postrouting + IPsec + IPv6
https://bugzilla.netfilter.org/show_bug.cgi?id=663
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #3 from Phil Oester <netfilter at linuxace.com> 2013-07-26
02:12:18 CEST ---
After spending many hours getting strongswan setup to match your config, I am
not able to reproduce the issue on a 3.10 kernel. The IPv6 logs look normal:
Jul 25 16:53:15 f19_main kernel: [ 1274.377650] IN= OUT=eth2
SRC=5857:0000:0000:0000:0000:0000:0000:0129
DST=fe80:0000:0000:0000:020c:29ff:fe5e:71b2
LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0
But what you are doing (default DROP policy in the POSTROUTING chain of the
mangle table) is NOT recommended. For instance, I can see from your rules that
you don't permit ICMPv6 packets from the link-local addresses. How exactly
do
you expect the VPN gateway to find its neighbors? I'm surprised this setup
works at all.
Please utilize the FORWARD chain of the filter table for filtering packets
being routed through your gateway.
Closing.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Possibly Parallel Threads
- [Bug 761] New: Bug in ICMPv6 type and code fields processing
- [Bug 508] New: ip6tables conntrack marks all incoming packets as INVALID
- [Bug 576] New: ip6tables maks auto configuration packages as INVALID
- [Bug 567] New: Local multicast ICMPv6 and --state INVALID
- Samba and ufw (mmcg29440@frontier.com)
Wisdom of the Ancients
