Discussion:
dropping UNTRACKED packets, breaks IPv6 - why?
Christoph Anton Mitterer
2013-07-26 01:59:22 UTC
Permalink
Hi.

I usually have some default rules in place on all nodes which look about
like this:
---------------------
-A INPUT --in-interface lo -j ACCEPT
-A OUTPUT --out-interface lo -j ACCEPT

-A INPUT -m state --state UNTRACKED -j DROP
-A FORWARD -m state --state UNTRACKED -j DROP
-A OUTPUT -m state --state UNTRACKED -j DROP

-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP

#handle IPsec only sources/destinations
#snip/snap

#allow incoming packets for all established and all related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow incoming ICMP packets
-A INPUT --protocol icmpv6 -j ACCEPT
---------------------
And the same for IPv4.

The idea with dropping the UNTRACKED/INVALID was that such packages are
probably not good fellows and should stay out...

Okay... now with IPv4 everything works as expected...


But with v6 nothing works at all and I get Destination unreachables
(even on pings)... I can't even reach the gateway.

When I disable dropping the untracked packets... it starts working,...
even when afterwards I enable it again.
Seems that there is some connection between the host an the gateway
shown then by conntrack.


Now... question is why?


Cheers,
Chris.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Arturo Borrero Gonzalez
2013-07-26 07:07:18 UTC
Permalink
On 26 July 2013 03:59, Christoph Anton Mitterer
Hi.
I usually have some default rules in place on all nodes which look ab=
out
---------------------
-A INPUT --in-interface lo -j ACCEPT
-A OUTPUT --out-interface lo -j ACCEPT
-A INPUT -m state --state UNTRACKED -j DROP
-A FORWARD -m state --state UNTRACKED -j DROP
-A OUTPUT -m state --state UNTRACKED -j DROP
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
#handle IPsec only sources/destinations
#snip/snap
#allow incoming packets for all established and all related connectio=
ns
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow incoming ICMP packets
-A INPUT --protocol icmpv6 -j ACCEPT
Could you provide a ip6tables-save format ruleset?
---------------------
And the same for IPv4.
The idea with dropping the UNTRACKED/INVALID was that such packages a=
re
probably not good fellows and should stay out...
Okay... now with IPv4 everything works as expected...
But with v6 nothing works at all and I get Destination unreachables
(even on pings)... I can't even reach the gateway.
When I disable dropping the untracked packets... it starts working,..=
=2E
even when afterwards I enable it again.
Seems that there is some connection between the host an the gateway
shown then by conntrack.
Now... question is why?
What is the default policy? I guess you are not allowing ICMP messages
in OUTPUT. ICMP messages are important in IPv6.

Regards.

--=20
Arturo Borrero Gonz=E1lez
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Christoph Anton Mitterer
2013-07-26 20:20:39 UTC
Permalink
Hi.
Post by Arturo Borrero Gonzalez
Could you provide a ip6tables-save format ruleset?
see attachment...
Post by Arturo Borrero Gonzalez
What is the default policy? I guess you are not allowing ICMP messages
in OUTPUT. ICMP messages are important in IPv6.
No I do...

It's as if ICMP was UNTRACKED.

Just removing either
-A INPUT -m state --state UNTRACKED -j DROP
or
-A OUTPUT -m state --state UNTRACKED -j DROP
alone isn't enough... I really need to remove both (for the first time).

Cheers,
Chris.
Pascal Hambourg
2013-07-27 19:49:37 UTC
Permalink
Hello,
=20
The idea with dropping the UNTRACKED/INVALID was that such packages a=
re
probably not good fellows and should stay out...
You should not blindly drop UNTRACKED or INVALID IPv6 packets.

Originally, ICMPv6 types related to NDP (Neighbour Discovery Protocol),
i.e. Router Solicitation and Router Advertisement (used for stateless
autoconfiguration), Neighbour Solicitation and Neighbour Advertisement
(used as a replacement for ARP request and reply), and a few others had
the INVALID state. However these types are required for proper IPv6
operation on ethernet-like links. Since kernel 2.6.29, they are not
tracked any more and have the UNTRACKED state. See the commit below.

commit 3f9007135c1dc896db9a9e35920aafc65b157230
Author: Eric Leblond <***@inl.fr>
Date: Mon Feb 9 14:33:20 2009 -0800

netfilter: nf_conntrack_ipv6: don't track ICMPv6 negotiation messag=
e

This patch removes connection tracking handling for ICMPv6 messages
related to Stateless Address Autoconfiguration, MLD, and MLDv2. The=
y
can not be tracked because they are massively using multicast (on
pre-defined address). But they are not invalid and should not be
detected as such.

Signed-off-by: Eric Leblond <***@inl.fr>
Signed-off-by: Patrick McHardy <***@trash.net>
Signed-off-by: David S. Miller <***@davemloft.net>

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Christoph Anton Mitterer
2013-07-27 20:53:21 UTC
Permalink
Hi Pascal.
Post by Pascal Hambourg
You should not blindly drop UNTRACKED or INVALID IPv6 packets.
I see,... thanks.
Why not INVALID IPv6 packets? AFAICS, the patch you've mentioned only
removes tracking for these kinds of packets, but doesn't mark them
invalid.


1) So... are there any other reasonable default rules one should make
for IPv6 (or IPv4) then?
I guess the kernel itself already assures that any address of his own
interfaces are not accepted as source address for packages coming over
the wire? I.e. to prevent spoofing of the hosts own addresses.

2) What about INVALID/UNTRACKED with respect to IPv4? Is it there still
advisable to DROP them unconditionally?


Oh and btw: Does the IPsec handling I do still work with IPv6 or has
anything changed there as well?

I.e. the idea is that I jump to the ipsec-only-in/out chain for any
source/destination host with that I want to accept only
incoming/outgoing packages when they're IPsec'ed.
The jump happens of course before the:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


Thanks,
Chris.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Pascal Hambourg
2013-07-28 07:51:03 UTC
Permalink
Post by Christoph Anton Mitterer
=20
Post by Pascal Hambourg
You should not blindly drop UNTRACKED or INVALID IPv6 packets.
=20
Why not INVALID IPv6 packets? AFAICS, the patch you've mentioned only
removes tracking for these kinds of packets, but doesn't mark them
invalid.
Because before the patch, older kernels marked NDP packets INVALID.
Post by Christoph Anton Mitterer
1) So... are there any other reasonable default rules one should make
for IPv6 (or IPv4) then?
Sure. On an ethernet-like interface, accept the following ICMPv6 types,
with hop limit 255 as these packets are link-local only :
- neighbour solicitation and neighbour advertisement in both directions
- router solicitation in output and router advertisement in input if th=
e
box is an IPv6 host using stateless autoconfiguration
- router solicitation in input and router advertisement in output if th=
e
box is an IPv6 router with radvd or the like listening on this interfac=
e.
Then you can drop anything else you (don't) like.
Post by Christoph Anton Mitterer
I guess the kernel itself already assures that any address of his own
interfaces are not accepted as source address for packages coming ove=
r
Post by Christoph Anton Mitterer
the wire? I.e. to prevent spoofing of the hosts own addresses.
Yes.
Post by Christoph Anton Mitterer
2) What about INVALID/UNTRACKED with respect to IPv4? Is it there sti=
ll
Post by Christoph Anton Mitterer
advisable to DROP them unconditionally?
AFAIK, IPv4 has nothing like NDP, so
- INVALID : normally, yes.
- UNTRACKED : AFAIK, it can only be the result of the NOTRACK target, s=
o
you would know about it.
Post by Christoph Anton Mitterer
Oh and btw: Does the IPsec handling I do still work with IPv6 or has
anything changed there as well?
I don't use IPSec and don't know about its handling by iptables.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...