[Bug 812] New: addrtype with limit-iface-in in ip6tables/nat/PREROUTING messes up the route cache
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Mar 5 10:01:30 CET 2013
http://bugzilla.netfilter.org/show_bug.cgi?id=812
Summary: addrtype with limit-iface-in in
ip6tables/nat/PREROUTING messes up the route cache
Product: netfilter/iptables
Version: unspecified
Platform: x86_64
OS/Version: All
Status: NEW
Severity: major
Priority: P5
Component: ip6_tables (kernel)
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: arpad at andrews.hu
Estimated Hours: 0.0
First of all, sorry about my bad English.
The addrtype match is working perfectly under IPv6 in the filter table. When I
tried to use in the nat/PREROUTING it messes up the routing cache even if the
rule didn't matched at all. I think it's better to show some example. (I
changed the hostnames and IP addresses, they are sensitive data).
eth0 - 2001:1234:f001::/64 - Internet
eth1 - 2001:1234:11::/64 - DMZ
The non-working scenario:
root at ipv6-test:# ip6tables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOinet all eth0 * ::/0 ::/0
/* Internet */ ADDRTYPE match dst-type LOCAL limit-in
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain LOinet (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0
/* Other packets */
root at ipv6-test:# ip -6 route show cache
2001:1234:11::12 via 2001:1234:f001::251 dev eth0 metric 0
cache
The 2001:1234:11::12 was the original destination of the packet, and it's a
valid server address on the DMZ. This route cache entry says thats server is
reachable via the default gateway, and while this exists all the traffic, even
the locally generated ones, are sent that way. So the server is unreachable.
The working scenario:
root at ipv6-test:# ip6tables -t nat -D PREROUTING 1
root at ipv6-test:# ip6tables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain LOinet (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0
/* Other packets */
root at ipv6-test:# ip -6 route show cache
2001:1234:11::12 via 2001:1234:11::12 dev eth1 metric 0
cache
This is the good results.
If I remove the --limit-iface-in from the non-working scenario, so just use the
-m addrtype --dst-type LOCAL it works!
root at ipv6-test:# ip6tables -V
ip6tables v1.4.17
root at ipv6-test:# uname -r
3.7.0-andrews-amd64
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list