bugzilla-daemon at netfilter.org
2013-Apr-12 08:24 UTC
[Bug 814] rpfilter blocks broadcast packets
https://bugzilla.netfilter.org/show_bug.cgi?id=814
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fw at strlen.de
--- Comment #1 from Florian Westphal <fw at strlen.de> 2013-04-12 10:24:14
CEST ---
(In reply to comment #0)> # ip addr show br.qemu
> 10: br.qemu: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP
> link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
> inet 192.168.2.1/24 scope global br.qemu
>
> Here is rules:
> # iptables -A PREROUTING -t raw -i br.qemu -m rpfilter -j RETURN
> # iptables -A PREROUTING -t raw -j LOG --log-level 7 --log-prefix
"antispoof: "
>
> Here is example of blocked packet (samba/netbios announce, I suppose):
> kern.debug: antispoof: IN=br.qemu OUT= MAC= SRC=192.168.2.1
DST=192.168.2.255
> LEN=248 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=228
>
> Also I notice `ping -b 192.168.2.255` is also blocked:
> kern.debug: antispoof: IN=br.qemu OUT= MAC= SRC=192.168.2.1
DST=192.168.2.255
> LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=22024
> SEQ=1 like -s 192.168.2.0/24?
Could you clarify on which machine these packets are generated?
The packet src ip is the bridge itself. Are these packets locally generated?
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Apr-12 08:32 UTC
[Bug 814] rpfilter blocks broadcast packets
https://bugzilla.netfilter.org/show_bug.cgi?id=814 --- Comment #2 from Alex Efros <powerman-asdf at ya.ru> 2013-04-12 10:32:16 CEST --- (In reply to comment #1)> Could you clarify on which machine these packets are generated? > The packet src ip is the bridge itself. Are these packets locally generated?Yes. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Apr-12 09:02 UTC
[Bug 814] rpfilter blocks broadcast packets
https://bugzilla.netfilter.org/show_bug.cgi?id=814
--- Comment #3 from Florian Westphal <fw at strlen.de> 2013-04-12 11:02:57
CEST ---
That explains it.
This patch should fix it, I'll send it for inclustion soon.
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c
b/net/ipv4/netfilter/ipt_rpfilter.c
index c301300..601abf2 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -76,7 +76,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct
xt_action_param *par)
info = par->matchinfo;
invert = info->flags & XT_RPFILTER_INVERT;
- if (par->in->flags & IFF_LOOPBACK)
+ if (skb_dst(skb)) /* locally generated? */
return true ^ invert;
iph = ip_hdr(skb);
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Apr-21 14:40 UTC
[Bug 814] rpfilter blocks broadcast packets
https://bugzilla.netfilter.org/show_bug.cgi?id=814
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.