diff mbox

NFCT filter and IPv6

Message ID 1342559469.8476.54.camel@tiger.regit.org
State Not Applicable
Headers show

Commit Message

Eric Leblond July 17, 2012, 9:11 p.m. UTC 
Hello,

I was working on ulogd2 and getting mad with connection filtering in
IPv6 (IPv4 being ok). After analysis, it seems there is a problem.

I've modified the conntrack_filter in utils by applying the following
patch. It does nothing but inverting the logic of filtering and adding
filtering to destination.

If I do :

$ telnet 2::1

then

root@tiger:/home/eric/git/netfilter/libnetfilter_conntrack/utils# ./conntrack_filter 
TEST: waiting for 10 events...
 [UPDATE] tcp      6 432000 ESTABLISHED src=2::1 dst=2::1 sport=35738 dport=22 src=2::1 dst=2::1 sport=22 dport=35738 [ASSURED]

Am I missing something ?

Kernel is a 3.4.0:
Linux tiger 3.4.0-netfilter #22 SMP Sat Jul 14 21:39:33 CEST 2012 x86_64 GNU/Linux

BR,

Comments

Pablo Neira Ayuso July 25, 2012, 11:16 a.m. UTC | #1 
Hi Eric,

On Tue, Jul 17, 2012 at 11:11:09PM +0200, Eric Leblond wrote:
> Hello,
> 
> I was working on ulogd2 and getting mad with connection filtering in
> IPv6 (IPv4 being ok). After analysis, it seems there is a problem.
> 
> I've modified the conntrack_filter in utils by applying the following
> patch. It does nothing but inverting the logic of filtering and adding
> filtering to destination.
> 
> If I do :
> 
> $ telnet 2::1
> 
> then
> 
> root@tiger:/home/eric/git/netfilter/libnetfilter_conntrack/utils# ./conntrack_filter 
> TEST: waiting for 10 events...
>  [UPDATE] tcp      6 432000 ESTABLISHED src=2::1 dst=2::1 sport=35738 dport=22 src=2::1 dst=2::1 sport=22 dport=35738 [ASSURED]
> 
> Am I missing something ?

It's a bug in libnetfilter_conntrack autogenerated BPF code to filter IPv6.

This should fix it:

http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=4b6df760e3b19ec522b66cbbb5b280fec7c0405b

The changelog provides some details. I've tested it here, works for
me.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

From 5ec3879993c502f808d78c750f585555a0cd3014 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Tue, 17 Jul 2012 23:04:46 +0200
Subject: [PATCH] Modify IPv6 logic

---
 utils/conntrack_filter.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/utils/conntrack_filter.c b/utils/conntrack_filter.c
index a3eeebc..cfde5d4 100644
--- a/utils/conntrack_filter.c
+++ b/utils/conntrack_filter.c
@@ -74,9 +74,10 @@  int main(void)
 	/* ignore whatever that comes from ::1 (loopback) */
 	nfct_filter_set_logic(filter,
 			      NFCT_FILTER_SRC_IPV6,
-			      NFCT_FILTER_LOGIC_NEGATIVE);
+			      NFCT_FILTER_LOGIC_POSITIVE);
 
 	nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV6, &filter_ipv6);
+	nfct_filter_add_attr(filter, NFCT_FILTER_DST_IPV6, &filter_ipv6);
 
 	if (nfct_filter_attach(nfct_fd(h), filter) == -1) {
 		perror("nfct_filter_attach");
-- 
1.7.10.4