bugzilla-daemon at bugzilla.netfilter.org
2009-Jun-07 12:23 UTC
[Bug 597] New: ip6tables connlimit - cannot set CIDR greater than 32 (includes fix)
http://bugzilla.netfilter.org/show_bug.cgi?id=597
Summary: ip6tables connlimit - cannot set CIDR greater than 32
(includes fix)
Product: iptables
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P1
Component: ip6tables
AssignedTo: laforge at netfilter.org
ReportedBy: kd6lvw at yahoo.com
(e.g.) -m connlimit --connlimit-above 1 --connlimit-mask 48
Any mask size >32 will be set as 32 for IP6tables. However, IPv6 addresses
have 128 bits.
iptables-1.4.3.2/extensions/libxt_connlimit.c (lines 26-30):
static void connlimit_init(struct xt_entry_match *match)
{
struct xt_connlimit_info *info = (void *)match->data;
info->v4_mask = 0xFFFFFFFFUL;
}
As "v4_mask" and "v6_mask[4]" are unioned, we're only
initializing the most
significant 32 bits of the "v6_mask", but leaving the other 96 bits at
zero
(zero-filling malloc assumed).
IPv4 Mask: FFFF FFFF (OK)
IPv6 Mask: FFFF FFFF 0000 0000 0000 0000 0000 0000 (PROBLEM)
This is the state of the mask BEFORE calling prefix_to_netmask(), which for
CIDRs greater than 32 will be shifting zero bits with zero bit fill - or in
other words, DOING NOTHING. Since these bits are already zero, we cannot match
them.
We should initialize the mask with this instead (as a "diff"):
- info->v4_mask = 0xFFFFFFFFUL;
+ info->v6_mask[0] = 0xFFFFFFFFUL;
+ info->v6_mask[1] = 0xFFFFFFFFUL;
+ info->v6_mask[2] = 0xFFFFFFFFUL;
+ info->v6_mask[3] = 0xFFFFFFFFUL;
I have tested this fix on my system. It seems to work. Hashlimit implements
the CIDR mask differently and does not suffer from this problem.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Jun-07 12:25 UTC
[Bug 597] ip6tables connlimit - cannot set CIDR greater than 32 (includes fix)
http://bugzilla.netfilter.org/show_bug.cgi?id=597 ------- Comment #1 from kd6lvw at yahoo.com 2009-06-07 14:25 ------- Oops! Meant to say: Any mask size <32 will be ... -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Jun-08 21:46 UTC
[Bug 597] ip6tables connlimit - cannot set CIDR greater than 32 (includes fix)
http://bugzilla.netfilter.org/show_bug.cgi?id=597
jengelh at medozas.de changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|laforge at netfilter.org |jengelh at medozas.de
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the assignee for the bug, or are watching the assignee.