xt_connlimit 20070628 kernel

Yasuyuki KOZAKAI yasuyuki.kozakai at toshiba.co.jp
Wed Jul 4 10:55:17 CEST 2007


Hi,

It seems old discussion, anyway,

From: Patrick McHardy <kaber at trash.net>
Date: Mon, 02 Jul 2007 14:27:49 +0200

> Jan Engelhardt wrote:
> > On Jun 29 2007 13:27, Patrick McHardy wrote:
> > 
> >>A single hash would have the advantage that it would make it easier to deal
> >>with IPv4 mapped addresses (thats assuming that an IPv4 mapped address and a
> >>regular address should be counted as the same thing).
> > 
> > 
> > Huwee :)
> > Mathematically seen, all that is required is a hash function that is pure (GCC
> > slang for "produces always the same for same input") for a tuple of
> > <ipaddress, struct xt_connlimit_data>. So I could use xhash for ipv4 and yhash
> > for ipv6 even and a per-connlimit_data rnd.
> > 
> > Right, to the topic: I think we're fine here.
> 
> 
> That didn't answer my question. Should IPv6 mapped IPv4 addresses be
> counted as the same address as the mapped IPv4 address or not?

Logically, IPv6 packets including (almost) mapped addresses can be
assumed that they belong to IPv4 connection.

But now I don't want to do that because mapped address can cause security
issues.

	http://www.ietf.org/internet-drafts/draft-ietf-v6ops-security-overview-06.txt
	(2.2.  IPv4-mapped IPv6 Addresses)

These issues arise because IPv6 packets including mapped address are handled as
IPv4 packets. So, to avoid new security issue we don't know yet, I think
that it's safe not to merge IPv4 connection and IPv6 connection.


P.S. That's the reason why hash function of nf_conntrack takes address family.

-- Yasuyuki Kozakai



More information about the netfilter-devel mailing list