Hi,
On 02/05/2016 21:54:06 CEST, Baptiste Jonglez wrote:
On Mon, May 02, 2016 at 09:37:07PM +0200, Baptiste Jonglez wrote:
On Mon, May 02, 2016 at 08:17:48PM +0200, Vittorio Gambaletta (VittGam) wrote:
> Since drop_invalid has been turned on by default, ICMPv6 echo requests
> to well-known multicast addresses, such as ff02::1, are not replied to
> by the router anymore, because conntrack considers those outgoing reply
> packets to be invalid.
>
> Fix this by not having the INVALID rule in the OUTPUT chain match IPv6
> packets destined to link-local addresses (fe80::/10).
I'm not sure I understand: the multicast ICMP packets you mention have a
destination address of ff02::1, which is not in fe80::/10. Did you intend
to allow all of ff00::/8 as destination (which is probably much too
permissive), or did I miss something?
I *did* miss something: this rule is added to the output path, not the
input path. Sorry for the noise.
Yeah, exactly that. Multicast packets going to ffx2::/16 should always
be sent from link-local addresses, so the replies are always sent to
link-local addresses, and from link-local addresses too.
It's just that conntrack is missing support for tracking those replies.
So, in order to keep things simple, let's just avoid dropping outgoing traffic
marked as invalid by conntrack, that's not being forwarded, and that's destined
to a link-local address.
I wonder if it's the only legimitate kind of traffic that gets dropped by
the INVALID rule, though.
I don't know, I'm only aware of this. If there are other kinds of traffic,
maybe it'd more appropriate to create a new chain with RETURNs for every
exception and then ending the chain with a DROP, to avoid having to use
an explicit ACCEPT; so that the packets could still be dropped after
that rule by the user if needed.
Cheers,
Vittorio
> Signed-off-by: Vittorio Gambaletta <[email protected]>
> ---
>
> diff --git a/defaults.c b/defaults.c
> index 3d210f9..ea905e0 100644
> --- a/defaults.c
> +++ b/defaults.c
> @@ -180,6 +180,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle
*handle,
> "FORWARD", "forwarding",
> };
>
> + struct fw3_address mcdst = {
> + .set = true,
> + .invert = true,
> + .family = FW3_FAMILY_V6,
> + .address.v6.s6_addr = { 0xfe, 0x80 },
> + .mask.v6.s6_addr = { 0xff, 0xc0 },
> + };
> +
> switch (handle->table)
> {
> case FW3_TABLE_FILTER:
> @@ -215,6 +223,8 @@ fw3_print_default_head_rules(struct fw3_ipt_handle
*handle,
> if (defs->drop_invalid)
> {
> r = fw3_ipt_rule_new(handle);
> + if (i == 2 && handle->family == FW3_FAMILY_V6)
> + fw3_ipt_rule_src_dest(r, NULL, &mcdst);
> fw3_ipt_rule_extra(r, "-m conntrack --ctstate
INVALID");
> fw3_ipt_rule_target(r, "DROP");
> fw3_ipt_rule_append(r, chains[i]);
> _______________________________________________
> openwrt-devel mailing list
> [email protected]
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
