netfilter buglog - Jan 2009 - [Bug 567] New: Local multicast ICMPv6 and --state INVALID

http://bugzilla.netfilter.org/show_bug.cgi?id=567

           Summary: Local multicast ICMPv6 and --state INVALID
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: Ubuntu
            Status: NEW
          Severity: blocker
          Priority: P1
         Component: unknown
        AssignedTo: laforge at netfilter.org
        ReportedBy: vstinner at inl.fr


Hi,

I'm trying to setup strict INPUT firewall rules on my computer but I have a
problem with IPv6: multicast ICMPv6 packets are dropped because they are
detected as invalid. Example:

  ip6tables -A INPUT  -m state --state INVALID -j LOG --log-prefix "Drop
INVALID INPUT"
  ip6tables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Drop
INVALID OUTPUT"

Example of dropped packets:

Jan  9 15:31:32 lisa kernel: [5169594.063033] Drop INVALID INPUT IN=eth0
OUTMAC=33:33:00:00:00:01:00:07:cb:3c:ed:d8:86:dd
SRC=fe80:0000:0000:0000:0207:cbff:fe3c:edd8
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=144 TC=0 HOPLIMIT=255 FLOWLBL=0
PROTO=ICMPv6 TYPE=134 CODE=0

Jan  9 15:31:33 lisa kernel: [5169595.352014] Drop INVALID OUTPUT IN= OUT=eth0
SRC=fe80:0000:0000:0000:0221:85ff:fe11:6da0
DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0
PROTO=ICMPv6 TYPE=143 CODE=0

The first packet is a Router advertisement (ICMPv6 type 134) sent by my
Internet box (Freebox) to my computer. The second packet is a Multicast
Listener Report Message v2 (ICMPv6 type 143) send by my computer to the local
multicast group. Addresses ff02::1 and ff02::16 part of ff02::/112, multicast
with scope=2 (link).

I tested on:
 - Ubuntu Gutsy, kernel 2.6.22, i386, ip6tables 1.3.6
 - Ubuntu Ibex, kernel 2.6.27, x86_64, ip6tables 1.4.0

Is it a bug? Or should I load/install an extra kernel/iptables module?

Victor Stinner
http://www.inl.fr/


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.netfilter.org/show_bug.cgi?id=567


eric at inl.fr changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
         OS/Version|Ubuntu                      |All




------- Comment #1 from eric at inl.fr  2009-01-18 13:48 -------
This is a bug. The icmpv6 connection tracking module does not support RFC 4681
and RFC 3810. I've cooked some patches fixing this and I will soon release
them.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.netfilter.org/show_bug.cgi?id=567





------- Comment #2 from pablo at netfilter.org  2009-01-18 22:11 -------
(In reply to comment #1)
> This is a bug. The icmpv6 connection tracking module does not support RFC
4681
> and RFC 3810. I've cooked some patches fixing this and I will soon
release
> them.
Please, see:

http://marc.info/?l=netfilter-devel&m=122587864120868&w=2


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.netfilter.org/show_bug.cgi?id=567





------- Comment #3 from eric at inl.fr  2009-01-19 22:58 -------
(In reply to comment #2)
> (In reply to comment #1)
> > This is a bug. The icmpv6 connection tracking module does not support
RFC 4681
> > and RFC 3810. I've cooked some patches fixing this and I will soon
release
> > them.
> 
> Please, see:
> 
> http://marc.info/?l=netfilter-devel&m=122587864120868&w=2
My initial solution was relatively near from these mail I've missed and I
came
to a conclusion similar to Yasuyuki after some more tests of my patches. The
problem is really complicated here and I don't think even an helper could be
help because as said Yasuyuki there is no real connection. Maybe we could use a
complex invert function but it may be only an insecure workaround.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.netfilter.org/show_bug.cgi?id=567





------- Comment #4 from vstinner at inl.fr  2009-01-20 00:22 -------
ICMPv6 types 133 (Router solicitation) and 134 (Router advertisement) are
described in the RFC 2461.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.netfilter.org/show_bug.cgi?id=567


eric at inl.fr changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED




------- Comment #5 from eric at inl.fr  2009-01-28 13:01 -------
A patch fixing this has been applied by Patrick Mchardy to his git tree.

See http://marc.info/?l=netfilter-devel&m=123306823804829&w=2


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.