[Bug 508] New: ip6tables conntrack marks all incoming packets as INVALID

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Wed Sep 13 11:33:22 CEST 2006 

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=508

           Summary: ip6tables conntrack marks all incoming packets as
                    INVALID
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: i386
        OS/Version: Gentoo
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ip_conntrack
        AssignedTo: laforge at netfilter.org
        ReportedBy: lorimz at gmail.com


i'm setting up a iptables/ip6tables firewall and i did the following:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
(this one works OK)

ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
(this one DOES NOT work)

my ipv6 interface is sit0, it is a ipv6-over-ipv4 tunnel.
all incoming packets are marked invalid, as this ping6 (this log is of the
echo-pong replies):

Sep 13 10:27:28 eddie inv: IN=sit0 OUT=
MAC=40:03:27:00:00:00:1f:00:00:00:00:00:00:21:45:00:00:7c:ac:f0:00:00:16:29:e3:52:a3:a2:aa:b1:50:68:75:5a:60:00:00:00:00:40:3a:3a:20:01:0b:40:0d:ea:00:12:00:01:00:01:00:01:00:01:20:01:06:b8:00:00:06:00:00:00
TUNNEL=163.162.170.177->80.104.117.90
SRC=2001:0b40:0dea:0012:0001:0001:0001:0001
DST=2001:06b8:0000:0600:0000:0000:0000:2046 LEN=104 TC=0 HOPLIMIT=58 FLOWLBL=0
PROTO=ICMPv6 TYPE=129 CODE=0 ID=46889 SEQ=1
Sep 13 10:27:33 eddie inv: IN=sit0 OUT=
MAC=80:01:75:00:00:00:b6:00:91:00:00:00:00:21:45:00:00:7c:ad:0f:00:00:16:29:e3:33:a3:a2:aa:b1:50:68:75:5a:60:00:00:00:00:40:3a:3a:20:01:0b:40:0d:ea:00:12:00:01:00:01:00:01:00:01:20:01:06:b8:00:00:06:00:00:00
TUNNEL=163.162.170.177->80.104.117.90
SRC=2001:0b40:0dea:0012:0001:0001:0001:0001
DST=2001:06b8:0000:0600:0000:0000:0000:2046 LEN=104 TC=0 HOPLIMIT=58 FLOWLBL=0
PROTO=ICMPv6 TYPE=129 CODE=0 ID=46889 SEQ=2
Sep 13 10:27:38 eddie inv: IN=sit0 OUT=
MAC=40:03:27:00:00:00:1f:00:00:00:00:ff:00:21:45:00:00:7c:ad:2d:00:00:16:29:e3:15:a3:a2:aa:b1:50:68:75:5a:60:00:00:00:00:40:3a:3a:20:01:0b:40:0d:ea:00:12:00:01:00:01:00:01:00:01:20:01:06:b8:00:00:06:00:00:00
TUNNEL=163.162.170.177->80.104.117.90
SRC=2001:0b40:0dea:0012:0001:0001:0001:0001
DST=2001:06b8:0000:0600:0000:0000:0000:2046 LEN=104 TC=0 HOPLIMIT=58 FLOWLBL=0
PROTO=ICMPv6 TYPE=129 CODE=0 ID=46889 SEQ=3

i'm logging only packets that match the INVALID state.

as a workaround, i've set up the ip6tables as follows:

ip6tables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
ip6tables -A INPUT -i sit+ -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT

that let me establish a connection and receive echo-pong replies

i am using iptables-1.3.5-r1 (maybe a gentoo revision, but i think no patches
were applied) on a 2.6.17 kernel (with *ALL* of networking built-in)

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list