[Bug 567] New: Local multicast ICMPv6 and --state INVALID

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Fri Jan 9 15:55:16 CET 2009 

http://bugzilla.netfilter.org/show_bug.cgi?id=567

           Summary: Local multicast ICMPv6 and --state INVALID
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: Ubuntu
            Status: NEW
          Severity: blocker
          Priority: P1
         Component: unknown
        AssignedTo: laforge at netfilter.org
        ReportedBy: vstinner at inl.fr


Hi,

I'm trying to setup strict INPUT firewall rules on my computer but I have a
problem with IPv6: multicast ICMPv6 packets are dropped because they are
detected as invalid. Example:

  ip6tables -A INPUT  -m state --state INVALID -j LOG --log-prefix "Drop
INVALID INPUT"
  ip6tables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Drop
INVALID OUTPUT"

Example of dropped packets:

Jan  9 15:31:32 lisa kernel: [5169594.063033] Drop INVALID INPUT IN=eth0 OUT=
MAC=33:33:00:00:00:01:00:07:cb:3c:ed:d8:86:dd
SRC=fe80:0000:0000:0000:0207:cbff:fe3c:edd8
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=144 TC=0 HOPLIMIT=255 FLOWLBL=0
PROTO=ICMPv6 TYPE=134 CODE=0

Jan  9 15:31:33 lisa kernel: [5169595.352014] Drop INVALID OUTPUT IN= OUT=eth0
SRC=fe80:0000:0000:0000:0221:85ff:fe11:6da0
DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0
PROTO=ICMPv6 TYPE=143 CODE=0

The first packet is a Router advertisement (ICMPv6 type 134) sent by my
Internet box (Freebox) to my computer. The second packet is a Multicast
Listener Report Message v2 (ICMPv6 type 143) send by my computer to the local
multicast group. Addresses ff02::1 and ff02::16 part of ff02::/112, multicast
with scope=2 (link).

I tested on:
 - Ubuntu Gutsy, kernel 2.6.22, i386, ip6tables 1.3.6
 - Ubuntu Ibex, kernel 2.6.27, x86_64, ip6tables 1.4.0

Is it a bug? Or should I load/install an extra kernel/iptables module?

Victor Stinner
http://www.inl.fr/


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list