[Bug 742] New: ip6tables "-m iprange" ipv6 range detection
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Mon Aug 29 05:04:37 CEST 2011
http://bugzilla.netfilter.org/show_bug.cgi?id=742
Summary: ip6tables "-m iprange" ipv6 range detection
Product: netfilter/iptables
Version: linux-2.6.x
Platform: x86_64
OS/Version: SuSE Linux
Status: NEW
Severity: critical
Priority: P5
Component: ip6_tables (kernel)
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: mailxiening at gmail.com
Estimated Hours: 0.0
I am using ip6tables to allow/disallow connection from clients with specific IP
address.
My client's IPv6 address is "fe80::e91b:befe:97dc:9df5".
The "-m iprange --src-range" detects the client is in or out of the specified
range as follows.
I create the rules and set log prefix.
ip6tables -I INPUT -m iprange --src-range 1000::0-ffff::0 -j LOG --log-level 7
--log-prefix "1000"
ip6tables -I INPUT -m iprange --src-range 2000::0-ffff::0 -j LOG --log-level 7
--log-prefix "2000"
ip6tables -I INPUT -m iprange --src-range 3000::0-ffff::0 -j LOG --log-level 7
--log-prefix "3000"
ip6tables -I INPUT -m iprange --src-range 4000::0-ffff::0 -j LOG --log-level 7
--log-prefix "4000"
ip6tables -I INPUT -m iprange --src-range 5000::0-ffff::0 -j LOG --log-level 7
--log-prefix "5000"
ip6tables -I INPUT -m iprange --src-range 6000::0-ffff::0 -j LOG --log-level 7
--log-prefix "6000"
ip6tables -I INPUT -m iprange --src-range 7000::0-ffff::0 -j LOG --log-level 7
--log-prefix "7000"
ip6tables -I INPUT -m iprange --src-range 8000::0-ffff::0 -j LOG --log-level 7
--log-prefix "8000"
ip6tables -I INPUT -m iprange --src-range 9000::0-ffff::0 -j LOG --log-level 7
--log-prefix "9000"
ip6tables -I INPUT -m iprange --src-range a000::0-ffff::0 -j LOG --log-level 7
--log-prefix "a000"
ip6tables -I INPUT -m iprange --src-range b000::0-ffff::0 -j LOG --log-level 7
--log-prefix "b000"
ip6tables -I INPUT -m iprange --src-range c000::0-ffff::0 -j LOG --log-level 7
--log-prefix "c000"
ip6tables -I INPUT -m iprange --src-range d000::0-ffff::0 -j LOG --log-level 7
--log-prefix "d000"
ip6tables -I INPUT -m iprange --src-range e000::0-ffff::0 -j LOG --log-level 7
--log-prefix "e000"
ip6tables -I INPUT -m iprange --src-range f000::0-ffff::0 -j LOG --log-level 7
--log-prefix "f000"
In log file /var/log/firewall in OpenSUSE11.1. The log for one connection
request is
117 Aug 28 20:01:46 alpine5 kernel: f000IN=eth0 OUT=
MAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
118 Aug 28 20:01:46 alpine5 kernel: e000IN=eth0 OUT=
MAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
119 Aug 28 20:01:46 alpine5 kernel: d000IN=eth0 OUT=
MAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
120 Aug 28 20:01:46 alpine5 kernel: c000IN=eth0 OUT=
MAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
121 Aug 28 20:01:46 alpine5 kernel: b000IN=eth0 OUT=
MAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
122 Aug 28 20:01:46 alpine5 kernel: a000IN=eth0 OUT=
MAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
123 Aug 28 20:01:46 alpine5 kernel: 9000IN=eth0 OUT=
MAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
124 Aug 28 20:01:46 alpine5 kernel: 8000IN=eth0 OUT=
MAC=00:21:5e:4e:9c:60:00:25:90:10:86:8d:86:dd
SRC=fe80:0000:0000:0000:e91b:befe:97dc:9df5
DST=fe80:0000:0000:0000:0221:5eff:fe4e:9c60 LEN=72 TC=0 HOPLIMIT =128
FLOWLBL=0 PROTO=TCP SPT=59113 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0.
It means firewall detects the client ip address fe80::e91b:befe:97dc:9df5 is in
8000::0-ffff::0, 9000::0-ffff::0, a000::0-ffff::0, b000::0-ffff::0,
c000::0-ffff::0, d000::0-ffff::0, e000::0-ffff::0, f000::0-ffff::0
and is out of:
1000::0-ffff::0, 2000::0-ffff::0, 3000::0-ffff::0, 4000::0-ffff::0,
5000::0-ffff::0, 6000::0-ffff::0, 7000::0-ffff::0
What is the algorithm used to detect the range and how can I set ip6tables to
make the client address are detected as in all the ranges?
Similar test indicates the client ip address is in
7fff::0-ffff::0, 8fff::0-ffff::0, 9fff::0-ffff::0, afff::0-ffff::0,
bfff::0-ffff::0, cfff::0-ffff::0, dfff::0-ffff::0, efff::0-ffff::0
7fff::0-ffff::0, 7eff::0-ffff::0,
and is out of:
0fff::0-ffff::0, 1fff::0-ffff::0, 2fff::0-ffff::0, 3fff::0-ffff::0,
4fff::0-ffff::0, 5fff::0-ffff::0, 6fff::0-ffff::0
7dff::0-ffff::0, 7cff::0-ffff::0, 7bff::0-ffff::0, 7aff::0-ffff::0,
79ff::0-ffff::0, 78ff::0-ffff::0, 77ff::0-ffff::0, 76ff::0-ffff::0,
75ff::0-ffff::0, 74ff::0-ffff::0, 73ff::0-ffff::0, 72ff::0-ffff::0,
71ff::0-ffff::0, 70ff::0-ffff::0,
Best regards.
ning
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
More information about the netfilter-buglog
mailing list