bugzilla-daemon at bugzilla.netfilter.org
2011-Aug-29 03:04 UTC
[Bug 742] New: ip6tables "-m iprange" ipv6 range detection
http://bugzilla.netfilter.org/show_bug.cgi?id=742 Summary: ip6tables "-m iprange" ipv6 range detection Product: netfilter/iptables Version: linux-2.6.x Platform: x86_64 OS/Version: SuSE Linux Status: NEW Severity: critical Priority: P5 Component: ip6_tables (kernel) AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: mailxiening at gmail.com Estimated Hours: 0.0 I am using ip6tables to allow/disallow connection from clients with specific IP address. My client's IPv6 address is "fe80::e91b:befe:97dc:9df5". The "-m iprange --src-range" detects the client is in or out of the specified range as follows. I create the rules and set log prefix. ip6tables -I INPUT -m iprange --src-range 1000::0-ffff::0 -j LOG --log-level 7 --log-prefix "1000" ip6tables -I INPUT -m iprange --src-range 2000::0-ffff::0 -j LOG --log-level 7 --log-prefix "2000" ip6tables -I INPUT -m iprange --src-range 3000::0-ffff::0 -j LOG --log-level 7 --log-prefix "3000" ip6tables -I INPUT -m iprange --src-range 4000::0-ffff::0 -j LOG --log-level 7 --log-prefix "4000" ip6tables -I INPUT -m iprange --src-range 5000::0-ffff::0 -j LOG --log-level 7 --log-prefix "5000" ip6tables -I INPUT -m iprange --src-range 6000::0-ffff::0 -j LOG --log-level 7 --log-prefix "6000" ip6tables -I INPUT -m iprange --src-range 7000::0-ffff::0 -j LOG --log-level 7 --log-prefix "7000" ip6tables -I INPUT -m iprange --src-range 8000::0-ffff::0 -j LOG --log-level 7 --log-prefix "8000" ip6tables -I INPUT -m iprange --src-range 9000::0-ffff::0 -j LOG --log-level 7 --log-prefix "9000" ip6tables -I INPUT -m iprange --src-range a000::0-ffff::0 -j LOG --log-level 7 --log-prefix "a000" ip6tables -I INPUT -m iprange --src-range b000::0-ffff::0 -j LOG --log-level 7 --log-prefix "b000" ip6tables -I INPUT -m iprange --src-range c000::0-ffff::0 -j LOG --log-level 7 --log-prefix "c000" ip6tables -I INPUT -m iprange --src-range d000::0-ffff::0 -j LOG --log-level 7 --log-prefix "d000" ip6tables -I INPUT -m iprange --src-range e000::0-ffff::0 -j LOG --log-level 7 --log-prefix "e000" ip6tables -I INPUT -m iprange --src-range f000::0-ffff::0 -j LOG --log-level 7 --log-prefix "f000" In log file /var/log/firewall in OpenSUSE11.1. The log for one connection request is 117 Aug 28 20:01:46 alpine5 kernel: f000IN=eth0 OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5 DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128 FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0. 118 Aug 28 20:01:46 alpine5 kernel: e000IN=eth0 OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5 DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128 FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0. 119 Aug 28 20:01:46 alpine5 kernel: d000IN=eth0 OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5 DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128 FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0. 120 Aug 28 20:01:46 alpine5 kernel: c000IN=eth0 OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5 DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128 FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0. 121 Aug 28 20:01:46 alpine5 kernel: b000IN=eth0 OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5 DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128 FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0. 122 Aug 28 20:01:46 alpine5 kernel: a000IN=eth0 OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5 DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128 FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0. 123 Aug 28 20:01:46 alpine5 kernel: 9000IN=eth0 OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5 DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128 FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0. 124 Aug 28 20:01:46 alpine5 kernel: 8000IN=eth0 OUTMAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5 DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128 FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0. It means firewall detects the client ip address fe80::e91b:befe:97dc:9df5 is in 8000::0-ffff::0, 9000::0-ffff::0, a000::0-ffff::0, b000::0-ffff::0, c000::0-ffff::0, d000::0-ffff::0, e000::0-ffff::0, f000::0-ffff::0 and is out of: 1000::0-ffff::0, 2000::0-ffff::0, 3000::0-ffff::0, 4000::0-ffff::0, 5000::0-ffff::0, 6000::0-ffff::0, 7000::0-ffff::0 What is the algorithm used to detect the range and how can I set ip6tables to make the client address are detected as in all the ranges? Similar test indicates the client ip address is in 7fff::0-ffff::0, 8fff::0-ffff::0, 9fff::0-ffff::0, afff::0-ffff::0, bfff::0-ffff::0, cfff::0-ffff::0, dfff::0-ffff::0, efff::0-ffff::0 7fff::0-ffff::0, 7eff::0-ffff::0, and is out of: 0fff::0-ffff::0, 1fff::0-ffff::0, 2fff::0-ffff::0, 3fff::0-ffff::0, 4fff::0-ffff::0, 5fff::0-ffff::0, 6fff::0-ffff::0 7dff::0-ffff::0, 7cff::0-ffff::0, 7bff::0-ffff::0, 7aff::0-ffff::0, 79ff::0-ffff::0, 78ff::0-ffff::0, 77ff::0-ffff::0, 76ff::0-ffff::0, 75ff::0-ffff::0, 74ff::0-ffff::0, 73ff::0-ffff::0, 72ff::0-ffff::0, 71ff::0-ffff::0, 70ff::0-ffff::0, Best regards. ning -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Sep-03 13:19 UTC
[Bug 742] ip6tables "-m iprange" ipv6 range detection
http://bugzilla.netfilter.org/show_bug.cgi?id=742 Jan Engelhardt <jengelh at medozas.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jengelh at medozas.de AssignedTo|netfilter- |jengelh at medozas.de |buglog at lists.netfilter.org | --- Comment #1 from Jan Engelhardt <jengelh at medozas.de> 2011-09-03 15:19:50 --- openSUSE 11.1 is no longer a supported version. The bug was fixed in commit v2.6.37-3906-g08b5194 (for 2.6.38), so unfortunately it persists across openSUSE 11.4. You probably need to talk to the bugzilla people there, but somehow I do not expect them to do an update just because of this one patch. You could use the 3.0 kernel from OBS in the interim, though I do not know how that fares with 11.1 (works ok in 11.4). -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Sep-03 13:20 UTC
[Bug 742] ip6tables "-m iprange" ipv6 range detection
http://bugzilla.netfilter.org/show_bug.cgi?id=742 Jan Engelhardt <jengelh at medozas.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Seemingly Similar Threads
- Samba and ufw (mmcg29440@frontier.com)
- [Bug 761] New: Bug in ICMPv6 type and code fields processing
- GeForce 6100 (NV4E) & nouveau regression in 3.12
- [Bug 448] New: IPv6 conntrack does not work on a tunnel interface
- [Bug 576] New: ip6tables maks auto configuration packages as INVALID