bugzilla-daemon at netfilter.org
2013-Mar-24 03:50 UTC
[Bug 814] New: rpfilter blocks broadcast packets
http://bugzilla.netfilter.org/show_bug.cgi?id=814
Summary: rpfilter blocks broadcast packets
Product: netfilter/iptables
Version: unspecified
Platform: x86_64
OS/Version: Gentoo
Status: NEW
Severity: normal
Priority: P5
Component: ip_tables (kernel)
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: powerman-asdf at ya.ru
Estimated Hours: 0.0
Here is my interface:
# ip addr show br.qemu
10: br.qemu: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP
link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 scope global br.qemu
Here is rules:
# iptables -A PREROUTING -t raw -i br.qemu -m rpfilter -j RETURN
# iptables -A PREROUTING -t raw -j LOG --log-level 7 --log-prefix
"antispoof: "
Here is example of blocked packet (samba/netbios announce, I suppose):
kern.debug: antispoof: IN=br.qemu OUT= MAC= SRC=192.168.2.1 DST=192.168.2.255
LEN=248 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=228
Also I notice `ping -b 192.168.2.255` is also blocked:
kern.debug: antispoof: IN=br.qemu OUT= MAC= SRC=192.168.2.1 DST=192.168.2.255
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=22024
SEQ=1
So, looks like rpfilter block broadcast packets with correct source IP.
I've no idea is this a bug, but if it's not a bug, then how to allow
broadcast
packets without replacing -m rpfilter with manual rule like -s 192.168.2.0/24?
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Apparently Analagous Threads
- [Bug 814] rpfilter blocks broadcast packets
- [Bug 1453] New: iptables-extensions(8) man page error (rpfilter)
- [Bug 1938] New: EscapeChar sometimes don't work when using ControlMaster
- Completely isolating P2P/BitTorrent traffic
- ip_conntrack: table full, dropping packet.
Wisdom of the Ancients
