Message ID | 1342559469.8476.54.camel@tiger.regit.org |
---|---|
State | Not Applicable |
Headers | show |
Hi Eric, On Tue, Jul 17, 2012 at 11:11:09PM +0200, Eric Leblond wrote: > Hello, > > I was working on ulogd2 and getting mad with connection filtering in > IPv6 (IPv4 being ok). After analysis, it seems there is a problem. > > I've modified the conntrack_filter in utils by applying the following > patch. It does nothing but inverting the logic of filtering and adding > filtering to destination. > > If I do : > > $ telnet 2::1 > > then > > root@tiger:/home/eric/git/netfilter/libnetfilter_conntrack/utils# ./conntrack_filter > TEST: waiting for 10 events... > [UPDATE] tcp 6 432000 ESTABLISHED src=2::1 dst=2::1 sport=35738 dport=22 src=2::1 dst=2::1 sport=22 dport=35738 [ASSURED] > > Am I missing something ? It's a bug in libnetfilter_conntrack autogenerated BPF code to filter IPv6. This should fix it: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=4b6df760e3b19ec522b66cbbb5b280fec7c0405b The changelog provides some details. I've tested it here, works for me. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From 5ec3879993c502f808d78c750f585555a0cd3014 Mon Sep 17 00:00:00 2001 From: Eric Leblond <eric@regit.org> Date: Tue, 17 Jul 2012 23:04:46 +0200 Subject: [PATCH] Modify IPv6 logic --- utils/conntrack_filter.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/utils/conntrack_filter.c b/utils/conntrack_filter.c index a3eeebc..cfde5d4 100644 --- a/utils/conntrack_filter.c +++ b/utils/conntrack_filter.c @@ -74,9 +74,10 @@ int main(void) /* ignore whatever that comes from ::1 (loopback) */ nfct_filter_set_logic(filter, NFCT_FILTER_SRC_IPV6, - NFCT_FILTER_LOGIC_NEGATIVE); + NFCT_FILTER_LOGIC_POSITIVE); nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV6, &filter_ipv6); + nfct_filter_add_attr(filter, NFCT_FILTER_DST_IPV6, &filter_ipv6); if (nfct_filter_attach(nfct_fd(h), filter) == -1) { perror("nfct_filter_attach"); -- 1.7.10.4