search for: flowlbl

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=448 laforge@netfilter.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|ip_conntrack |nf_conntrack ------- Additional Comments From laforge@netfilter.org 2006-02-14 09:05 MET ------- ipv6 conntrack is

...192.168.254.39 DST=224.0.0.251 LEN=161 TOS=0x00 PREC=0x00 TTL=255 ID=39413 DF PROTO=UDP SPT=5353 DPT=5353 LEN=141 Feb 4 10:04:02 radio kernel: [ 553.992620] [UFW AUDIT] IN= OUT=enp2s5 SRC=fe80:0000:0000:0000:368d:74dd:abec:eba0 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=181 TC=0 HOPLIMIT=255 FLOWLBL=910431 PROTO=UDP SPT=5353 DPT=5353 LEN=141 Feb 4 10:04:02 radio kernel: [ 553.992633] [UFW ALLOW] IN= OUT=enp2s5 SRC=fe80:0000:0000:0000:368d:74dd:abec:eba0 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=181 TC=0 HOPLIMIT=255 FLOWLBL=910431 PROTO=UDP SPT=5353 DPT=5353 LEN=141 Feb 4 10:04:02 rad...

...s -A INPUT -p ICMPv6 -g input_icmpv6_packets After that, I got such lines in my log: Nov 16 14:57:42 yam kernel: ICMPv6 pkt: IN=eth1 OUT= MAC=33:33:ff:f9:89:a2:00:e0:4c:9f:0a:24:86:dd SRC=fe80:0000:0000:0000:1de5:d64e:a530:2977 DST=ff02:0000:0000:0000:0000:0001:fff9:89a2 LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0 Nov 16 14:57:43 yam kernel: ICMPv6 pkt: IN=eth1 OUT= MAC=00:22:15:f9:89:a2:00:e0:4c:9f:0a:24:86:dd SRC=fe80:0000:0000:0000:1de5:d64e:a530:2977 DST=fe80:0000:0000:0000:0222:15ff:fef9:89a2 LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0 Nov 16 14:57:43...

...n log file /var/log/firewall in OpenSUSE11.1. The log for one connection request is 117 Aug 28 20:01:46 alpine5 kernel: f000IN=eth0 OUT= MAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5 DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128 FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0. 118 Aug 28 20:01:46 alpine5 kernel: e000IN=eth0 OUT= MAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5 DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128 FLOWLBL=0 PROTO=TCP S...

...nt. What I''m getting in my logs is (I''ve logged the ACCEPT rule for clarity): Dec 4 16:11:19 xxxx kernel: [67682.239124] Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0 SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63 FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826 LEN=1905 Dec 4 16:11:19 xxxx kernel: [67682.239148] Shorewall:int2dmz:REJECT:IN=br1 OUT=br0 SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63 FLOWLBL=0 FRAG:1448 ID:56a...

...buckets, 13680 max) [ 25.688528] ip_tables: (C) 2000-2006 Netfilter Core Team [ 28.201103] NET: Registered protocol family 17 [ 33.914653] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=fe80:0000:0000:0000:0213:8fff:fe78:2b50 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=456 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=416 [ 46.282711] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=fe80:0000:0000:0000:0213:8fff:fe78:2b50 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=84 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=44 [ 47.284429] SFW2-INext-DROP-DEFLT IN=eth0 O...

...I can test without these patches if needed. Here is a snippet of a log; 7N means outgoing NEW packet and 6I means incoming INVALID packet. Feb 13 16:48:15 gamma kernel: 7N IN= OUT=tun6 SRC=2002:4071:4c37:0000:0000:0000:0000:0001 DST=2001:1418:0013:0001:0000:0000:0000:0025 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=55560 DPT=6667 SEQ=2855237330 ACK=2296150387 WINDOW=16736 RES=0x00 ACK URGP=0 OPT (0101080A000A3B4F1834B2D1) UID=1001 Feb 13 16:48:15 gamma kernel: 6I IN=tun6 OUT= MAC=00:02:b3:5f:61:e8:00:05:dc:1f:3f:fc:08:00:45:00:00:df:29:d6:00:00:ef:29:3c:6c:d5:fe:02:0d:40:71:4c:37:60:00:00:00:0...

...far Router Solicitations, Neighbor Solicitations and Neighbor Advertisements and maybe other packages too ) ip6tables-INVALID: IN=eth0 OUT= MAC=33:33:00:00:00:02:00:13:77:ae:f2:1f:86:dd SRC=fe80:0000:0000:0000:0213:77ff:feae:f21f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 ip6tables-INVALID: IN=eth0 OUT= MAC=00:10:e0:02:22:02:00:13:77:ae:f2:1f:86:dd SRC=2001:06f8:10bb:0000:0213:77ff:feae:f21f DST=fe80:0000:0000:0000:0210:e0ff:fe02:2202 LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0 ip6tables-INVALID: IN=eth0 OUT= MAC=3...

...0:00:00:16:29:e3:52:a3:a2:aa:b1:50:68:75:5a:60:00:00:00:00:40:3a:3a:20:01:0b:40:0d:ea:00:12:00:01:00:01:00:01:00:01:20:01:06:b8:00:00:06:00:00:00 TUNNEL=163.162.170.177->80.104.117.90 SRC=2001:0b40:0dea:0012:0001:0001:0001:0001 DST=2001:06b8:0000:0600:0000:0000:0000:2046 LEN=104 TC=0 HOPLIMIT=58 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=46889 SEQ=1 Sep 13 10:27:33 eddie inv: IN=sit0 OUT= MAC=80:01:75:00:00:00:b6:00:91:00:00:00:00:21:45:00:00:7c:ad:0f:00:00:16:29:e3:33:a3:a2:aa:b1:50:68:75:5a:60:00:00:00:00:40:3a:3a:20:01:0b:40:0d:ea:00:12:00:01:00:01:00:01:00:01:20:01:06:b8:00:00:06:00:00:00 TUNNE...

...omcast-2 NetworkManager[541]: <error> [1424877948.384918] [rdisc/nm-lndp-rdisc.c:241] send_rs(): ([snip]): cannot send router solicitation: -1. Feb 25 10:25:48 proxy-comcast-2 kernel: OUT-world:IN= OUT=[snip] SRC=fe80:[snip] DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 -- :wq

....168.254.39 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=10653 PROTO=UDP SPT=137 DPT=50482 LEN=70 Jan 28 10:05:57 martin-RB042AV-ABA-a1410y kernel: [ 39.099157] [UFW BLOCK] IN=enp2s5 OUT= MAC= SRC=fe80:0000:0000:0000:368d:74dd:abec:eba0 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=1 FLOWLBL=849527 PROTO=UDP SPT=8612 DPT=8612 LEN=24 Jan 28 10:05:57 martin-RB042AV-ABA-a1410y kernel: [ 39.099223] [UFW BLOCK] IN=enp2s5 OUT= MAC= SRC=fe80:0000:0000:0000:368d:74dd:abec:eba0 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=1 FLOWLBL=871986 PROTO=UDP SPT=8612 DPT=8610 LEN=...

...r filtering vlan frames is dropping ICMPv6 type 134, the counter increases and the log exhibits: nd et DROPIN=eth2 OUT= MACSRC=78:ba:f9:73:f5:74 MACDST=33:33:00:00:00:01 MACPROTO=86dd SRC=fe80:0000:0000:0000:7aba:f9ff:fe73:f574 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=224 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/b7b24f82/attachment.html>

...imple to setup. Everything works fine. Until I try to set up an ip6tables firewall. eg if I try to view https://dnssec.surfnet.nl/?p=464 then the page never displays and the firewall shows kernel: IN=sit1 OUT=eth0 SRC=2001:0610:0001:40cd:0145:0100:0186:0033 DST=my.machine LEN=80 TC=0 HOPLIMIT=56 FLOWLBL=0 PROTO=TCP SPT=443 DPT=40367 WINDOW=5712 RES=0x00 ACK SYN URGP=0 I also see some DNS issues kernel: IN=sit1 OUT=eth0 SRC=2001:0620:0000:0009:0000:0000:0000:1103 DST=my.machine LEN=542 TC=0 HOPLIMIT=54 FLOWLBL=0 FRAG:1232 ID:0086942f PROTO=UDP (the source address here is ns1.zurich.surf.net). I...

..."Drop INVALID OUTPUT" Example of dropped packets: Jan 9 15:31:32 lisa kernel: [5169594.063033] Drop INVALID INPUT IN=eth0 OUT= MAC=33:33:00:00:00:01:00:07:cb:3c:ed:d8:86:dd SRC=fe80:0000:0000:0000:0207:cbff:fe3c:edd8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=144 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0 Jan 9 15:31:33 lisa kernel: [5169595.352014] Drop INVALID OUTPUT IN= OUT=eth0 SRC=fe80:0000:0000:0000:0221:85ff:fe11:6da0 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 The first packet is a Router advertis...

....168.254.39 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=10653 PROTO=UDP SPT=137 DPT=50482 LEN=70 Jan 28 10:05:57 martin-RB042AV-ABA-a1410y kernel: [ 39.099157] [UFW BLOCK] IN=enp2s5 OUT= MAC= SRC=fe80:0000:0000:0000:368d:74dd:abec:eba0 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=1 FLOWLBL=849527 PROTO=UDP SPT=8612 DPT=8612 LEN=24 Jan 28 10:05:57 martin-RB042AV-ABA-a1410y kernel: [ 39.099223] [UFW BLOCK] IN=enp2s5 OUT= MAC= SRC=fe80:0000:0000:0000:368d:74dd:abec:eba0 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=1 FLOWLBL=871986 PROTO=UDP SPT=8612 DPT=8610 LEN=...

...41]: <error> > [1424877948.384918] [rdisc/nm-lndp-rdisc.c:241] send_rs(): ([snip]): > cannot send router solicitation: -1. > Feb 25 10:25:48 proxy-comcast-2 kernel: OUT-world:IN= OUT=[snip] > SRC=fe80:[snip] DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 > TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 So, DHCPV6C="no" seems to be useless. What's needed is IPV6INIT="no". That doesn't disable IPv6 (to do that, you have to use sysctl), but it does tell NetworkManager to not try to configure it. Which is fine. -- :wq

...strongswan setup to match your config, I am not able to reproduce the issue on a 3.10 kernel. The IPv6 logs look normal: Jul 25 16:53:15 f19_main kernel: [ 1274.377650] IN= OUT=eth2 SRC=5857:0000:0000:0000:0000:0000:0000:0129 DST=fe80:0000:0000:0000:020c:29ff:fe5e:71b2 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0 But what you are doing (default DROP policy in the POSTROUTING chain of the mangle table) is NOT recommended. For instance, I can see from your rules that you don't permit ICMPv6 packets from the link-local addresses. How exactly do you expect the VPN gateway...

...get type 131 (mld-listener-report) packets dropped, but not 130 (mld-listener-query) ... dmesg [45184.023825] UNKOWN Scanner!: IN=ens192 OUT= MAC=33:33:00:00:00:01:64:66:b3:80:77:42:86:dd SRC=fe80:0000:0000:0000:6666:b3ff:fe80:7742 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=130 CODE=0 Also it seems that this issue has been around for quite some time and I have found it reported before: https://www.spinics.net/lists/netfilter/msg55746.html Best regards, Bratislav ILIC -- You are receiving this mail because: You are watching all bug changes. ----...

https://bugzilla.netfilter.org/show_bug.cgi?id=852 Summary: IPv6 TEE target sends packets to original IP address on wrong network device Product: netfilter/iptables Version: unspecified Platform: x86_64 OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: unknown