bugzilla-daemon at netfilter.org
2014-Feb-02 15:42 UTC
[Bug 892] New: ip6tables --match policy needs to accept IPv4 addresses for --tunnel-src and --tunnel-dst
https://bugzilla.netfilter.org/show_bug.cgi?id=892
Summary: ip6tables --match policy needs to accept IPv4
addresses for --tunnel-src and --tunnel-dst
Product: iptables
Version: 1.4.x
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ip6tables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: ast at domdv.de
Estimated Hours: 0.0
ip6tables currently does not allow to specify IPv4 addresses for the
--tunnel-src and --tunnel-dst options of the policy match.
This, however, is required for an IPv6 via IPSec IPv4 tunnel. Let's assume
the
IPSec tunnel endpoints are 1.2.3.4 and 5.6.7.8 and are interconnecting two IPv6
networks. Packets flowing acoss this connection shall be marked. This would
require something like the following:
ip6tables -t mangle -A INPUT --match policy --dir in --pol ipsec --mode tunnel
--tunnel-dst 1.2.3.4 --tunnel-src 5.6.7.8 -j MARK --set-mark 0x08/0x08
The above does not work. Instead one has to use the following undocumented
kludge which seems to work by just sheer luck:
ip6tables -t mangle -A INPUT --match policy --dir in --pol ipsec --mode tunnel
--tunnel-dst 102:304::/32 --tunnel-src 506:708::/32 -j MARK --set-mark
0x08/0x08
Looking at the netfilter kernel policy code (3.12.7) doesn't show any hint
that
the case of IPv6 via IPv4 IPSec Tunnel is actually integrated, so the above
kludge seems to work just by chance.
If the above kludge is what is actually intended this needs at least be
documented in the iptables-extensions man page - I had to try bit for bit until
it became clear what address format to use and there is still the point that
one does not know about the supposed value of the remaining 96 bits of such an
address.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Reasonably Related Threads
- [Bug 796] New: ip6tables (iptables) "state" test fails to correctly determine the state of packet streams; will not jump to ACCEPT on ESTABLISHED,RELATED connections
- IPv6, HE tunnel and ip6tables problems
- [Bug 1412] New: ip6tables-nft not accepting "icmp" as shorthand for "icmpv6"
- [Bug 1186] New: ip6tables-restore not passing useful error messages from ip6tables
- ip6tables on C7
Wisdom of the Ancients
