[Bug 597] New: ip6tables connlimit - cannot set CIDR greater than 32 (includes fix)
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Sun Jun 7 14:23:23 CEST 2009
http://bugzilla.netfilter.org/show_bug.cgi?id=597
Summary: ip6tables connlimit - cannot set CIDR greater than 32
(includes fix)
Product: iptables
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P1
Component: ip6tables
AssignedTo: laforge at netfilter.org
ReportedBy: kd6lvw at yahoo.com
(e.g.) -m connlimit --connlimit-above 1 --connlimit-mask 48
Any mask size >32 will be set as 32 for IP6tables. However, IPv6 addresses
have 128 bits.
iptables-1.4.3.2/extensions/libxt_connlimit.c (lines 26-30):
static void connlimit_init(struct xt_entry_match *match)
{
struct xt_connlimit_info *info = (void *)match->data;
info->v4_mask = 0xFFFFFFFFUL;
}
As "v4_mask" and "v6_mask[4]" are unioned, we're only initializing the most
significant 32 bits of the "v6_mask", but leaving the other 96 bits at zero
(zero-filling malloc assumed).
IPv4 Mask: FFFF FFFF (OK)
IPv6 Mask: FFFF FFFF 0000 0000 0000 0000 0000 0000 (PROBLEM)
This is the state of the mask BEFORE calling prefix_to_netmask(), which for
CIDRs greater than 32 will be shifting zero bits with zero bit fill - or in
other words, DOING NOTHING. Since these bits are already zero, we cannot match
them.
We should initialize the mask with this instead (as a "diff"):
- info->v4_mask = 0xFFFFFFFFUL;
+ info->v6_mask[0] = 0xFFFFFFFFUL;
+ info->v6_mask[1] = 0xFFFFFFFFUL;
+ info->v6_mask[2] = 0xFFFFFFFFUL;
+ info->v6_mask[3] = 0xFFFFFFFFUL;
I have tested this fix on my system. It seems to work. Hashlimit implements
the CIDR mask differently and does not suffer from this problem.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the netfilter-buglog
mailing list