On 2012-12-04 16:51, Tom Eastep wrote: > On 12/3/12 7:19 PM, Hugh Davenport wrote: >> Hey, >> >> I have a setup that has one machine communicating to a server using >> UDP >> over IPv6. For specifics, it is using collectd with a boosted >> MaxPacketSize in the network config. >> >> What this means is there is some IP fragmentation happening, and that >> is getting REJECTed. My policy is to REJECT, and I have an ALLOW for >> the >> particular communication I want. What I'm getting in my logs is (I've >> logged the ACCEPT rule for clarity): >> >> Dec 4 16:11:19 xxxx kernel: [67682.239124] >> Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0 >> SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx >> DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63 >> FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826 >> LEN=1905 >> Dec 4 16:11:19 xxxx kernel: [67682.239148] >> Shorewall:int2dmz:REJECT:IN=br1 OUT=br0 >> SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx >> DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63 >> FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP >> >> The rule I have is: >> ACCEPT:info int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ >> >> dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ >> udp 25826 >> >> >> Does anyone have any ideas on how I can ALLOW this fragmentation? > > As I understand the traffic on Netfilter-devel, unless you are running > a > recent 3.5+ kernel, IPv6 fragment handling in IPv6 is quite broken in > Netfilter.
Awesome, thanks for that, will look forward to a future kernel upgrade and use IPv4 in the mean time ;) Cheers, Hugh > > -Tom > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add > services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
