bugzilla-daemon at netfilter.org
2013-Mar-05 09:01 UTC
[Bug 812] New: addrtype with limit-iface-in in ip6tables/nat/PREROUTING messes up the route cache
http://bugzilla.netfilter.org/show_bug.cgi?id=812 Summary: addrtype with limit-iface-in in ip6tables/nat/PREROUTING messes up the route cache Product: netfilter/iptables Version: unspecified Platform: x86_64 OS/Version: All Status: NEW Severity: major Priority: P5 Component: ip6_tables (kernel) AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: arpad at andrews.hu Estimated Hours: 0.0 First of all, sorry about my bad English. The addrtype match is working perfectly under IPv6 in the filter table. When I tried to use in the nat/PREROUTING it messes up the routing cache even if the rule didn't matched at all. I think it's better to show some example. (I changed the hostnames and IP addresses, they are sensitive data). eth0 - 2001:1234:f001::/64 - Internet eth1 - 2001:1234:11::/64 - DMZ The non-working scenario: root at ipv6-test:# ip6tables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOinet all eth0 * ::/0 ::/0 /* Internet */ ADDRTYPE match dst-type LOCAL limit-in Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain LOinet (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all * * ::/0 ::/0 /* Other packets */ root at ipv6-test:# ip -6 route show cache 2001:1234:11::12 via 2001:1234:f001::251 dev eth0 metric 0 cache The 2001:1234:11::12 was the original destination of the packet, and it's a valid server address on the DMZ. This route cache entry says thats server is reachable via the default gateway, and while this exists all the traffic, even the locally generated ones, are sent that way. So the server is unreachable. The working scenario: root at ipv6-test:# ip6tables -t nat -D PREROUTING 1 root at ipv6-test:# ip6tables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain LOinet (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all * * ::/0 ::/0 /* Other packets */ root at ipv6-test:# ip -6 route show cache 2001:1234:11::12 via 2001:1234:11::12 dev eth1 metric 0 cache This is the good results. If I remove the --limit-iface-in from the non-working scenario, so just use the -m addrtype --dst-type LOCAL it works! root at ipv6-test:# ip6tables -V ip6tables v1.4.17 root at ipv6-test:# uname -r 3.7.0-andrews-amd64 -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Maybe Matching Threads
- [Bug 812] addrtype with limit-iface-in in ip6tables/nat/PREROUTING messes up the route cache
- [Bug 812] addrtype with limit-iface-in in ip6tables/nat/PREROUTING messes up the route cache
- [Bug 745] New: [addrtype]addrtype can't match src-type BROADCAST packets
- [Bug 1186] New: ip6tables-restore not passing useful error messages from ip6tables
- [Bug 1097] New: TARPIT function does not work in ip6tables