netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

netfilter6: ICMPv6 type 143 doesn't match

from [Peter Bieringer] [Permanent Link][Original]
To: Maillist netdev <netdev@xxxxxxxxxxx>, Maillist USAGI-users <usagi-users@xxxxxxxxxxxxxx>
Subject: netfilter6: ICMPv6 type 143 doesn't match
From: Peter Bieringer <pb@xxxxxxxxxxxx>
Date: Sat, 25 Dec 2004 18:47:52 +0100
Cc: Harald Welte <laforge@xxxxxxxxxxxx>, Patrick McHardy <kaber@xxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx 
Hi,
playing around with DHCPv6 (running on a very secured box with also outgoing netfilter ruleset) I found that something's going wrong with the ICMPv6 matcher: 


LOG rule reports:
Dec 25 18:31:01 gatepbg kernel: OUTPUT-FW6/cleanup:IN= OUT=eth0 SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 OPT ( ) PROTO=ICMPv6 TYPE=143 CODE=0
I tried several rules (don't wonder about the wrong order, it was a try and error -I insert, uppest rule was inserted last): 

# ip6tables -vn -L OUTPUT
Chain OUTPUT (policy DROP 4 packets, 4872 bytes)
pkts bytes target prot opt in out source destination 
   2   192 ACCEPT     all      *      eth0    ::/0                 ::/0
   0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 143 0 0 ACCEPT icmpv6 * * ::/0 ff02::/16 ipv6-icmp type 143 0 0 ACCEPT icmpv6 * * ::/0 ff02::/16 ipv6-icmp type 143 0 0 ACCEPT icmpv6 * * ::/0 ff02::16/128 ipv6-icmp type 143 

Packet dump:
18:46:07.984044 :: > ff02::16: HBH (rtalert: 0x0000) (padn)[icmp6 sum ok] icmp6: type-#143 [hlim 1] (len 56) 
       0x0000:  6000 0000 0038 0001 0000 0000 0000 0000  `....8..........
       0x0010:  0000 0000 0000 0000 ff02 0000 0000 0000  ................
       0x0020:  0000 0000 0000 0016 3a00 0502 0000 0100  ........:.......
       0x0030:  8f00 6b6a 0000 0002 0400 0000 ff05 0000  ..kj............
       0x0040:  0000 0000 0000 0000 0001 0003 0400 0000  ................
       0x0050:  ff02 0000 0000 0000 0000 0000 0001 0002  ................

I wonder that only the proto "all" rule matches such packet.
BTW: makes it sense that ip6tables remember, whether I had used "-p all" on insert or not? 

# ip6tables -I OUTPUT -p all -o eth0     -j ACCEPT
# ip6tables -D OUTPUT  -o eth0     -j ACCEPT
ip6tables: Bad rule (does a matching rule exist in that chain?)
# ip6tables -D OUTPUT -p all -o eth0     -j ACCEPT
(ok)

Same the other way:
# ip6tables -I OUTPUT -o eth0     -j ACCEPT
# ip6tables -D OUTPUT -p all -o eth0     -j ACCEPT
ip6tables: Bad rule (does a matching rule exist in that chain?)

Strange...I didn't really expect such behaviour as "newbie" ;-)

        Peter
--
Dr. Peter Bieringer                        http://www.bieringer.de/pb/
GPG/PGP Key 0x958F422D                  mailto: pb at bieringer dot de
Deep Space 6 Co-Founder and Core Member     http://www.deepspace6.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: ip6tables: accept of IPv6 transport esp packages not possible - no rule matches, Patrick McHardy
Next by Date:  IPv6: removal of the autogenerated link-local address of an interface still possible, Peter Bieringer
Previous by Thread:  [patch 1/1] net/3c59x: module_param conversions, domen
Next by Thread:  Re: netfilter6: ICMPv6 type 143 doesn't match, Yasuyuki Kozakai
Indexes:  [Date] [Thread] [Top] [All Lists]