[Bug 852] New: IPv6 TEE target sends packets to original IP address on wrong network device
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sat Sep 14 20:22:54 CEST 2013
https://bugzilla.netfilter.org/show_bug.cgi?id=852
Summary: IPv6 TEE target sends packets to original IP address
on wrong network device
Product: netfilter/iptables
Version: unspecified
Platform: x86_64
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: unknown
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: netfilter at null.bumpern.de
Estimated Hours: 0.0
Hi,
my network setup looks like this:
+--------+ +-------+
| gw + | host1 |
+--------+ fd73:d95d:a475:2005::1 +-------+
| tun0 |<-------------------------------------------------| tun0 |
| | fd73:d95d:a475:c80::17 +-------+
| eth1 |---------------------+
| | | +-------+
| eth2 |-----------+ | | host2 |
+--------+ | | +-------+
| +------------------------>| eth0 |
| fd73:d95d:a475:1000::1 +-------+
|
|
| +---------+
| | monitor |
| +---------+
+------------------------->| eth0 |
fd73:d95d:a475:1001::1 +---------+
All traffic that passes through the router "gw" coming from the network
fd73:d95d:a475::/48 should also be sent to the host "monitor". This was
achieved by adding an iptables rule in the PREROUTING chain of the mangle
table:
# ip6tables -t mangle -A PREROUTING -s fd73:d95d:a475::/48 \
-j TEE --gateway fd73:d95d:a475:1001::1
When "host1" tries to ping "host2", this works (running ping6 on "host1"):
# ping6 fd73:d95d:a475:1000::1
PING fd73:d95d:a475:1000::1(fd73:d95d:a475:1000::1) 56 data bytes
64 bytes from fd73:d95d:a475:1000::1: icmp_seq=1 ttl=63 time=22.2 ms
[...]
When tcpdump is ran on eth2 on router "gw", the following can be observed:
# tcpdump -q -n -i eth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
20:01:04.001463 IP6 fe80::21b:21ff:fe2b:e398 > ff02::1:ff00:1: ICMP6,
neighbor solicitation, who has fd73:d95d:a475:1000::1, length 32
20:01:04.001751 IP6 fe80::21b:21ff:fe2b:e398 > ff02::1:ff00:17: ICMP6,
neighbor solicitation, who has fd73:d95d:a475:c80::17, length 32
20:01:05.000566 IP6 fe80::21b:21ff:fe2b:e398 > ff02::1:ff00:1: ICMP6,
neighbor solicitation, who has fd73:d95d:a475:1000::1, length 32
20:01:05.000581 IP6 fe80::21b:21ff:fe2b:e398 > ff02::1:ff00:17: ICMP6,
neighbor solicitation, who has fd73:d95d:a475:c80::17, length 32
It seems router "gw" tries to send the ICMP6 echo request and echo response
packets to host "monitor" on the correct device (eth2) not to the ip address of
host "monitor" as instructed, but rather to the original destination ip
address and a neighbor solicitation is sent. As this address are not present on
that physical network, the neighbor solicitation is never answered. After a
timeout of about three seconds, the original sender ("host1") is sent an ICMP6
destination unreachable packet (probably since the cloned packet could not be
sent), as seen by running tcpdump on device "tun0" of "host1":
# tcpdump -q -n -i tun0 -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
20:10:51.302080 IP6 fd73:d95d:a475:c80::17 > fd73:d95d:a475:1000::1: ICMP6,
echo request, seq 1, length 64
20:10:51.324941 IP6 fd73:d95d:a475:1000::1 > fd73:d95d:a475:c80::17: ICMP6,
echo reply, seq 1, length 64
20:10:52.304002 IP6 fd73:d95d:a475:c80::17 > fd73:d95d:a475:1000::1: ICMP6,
echo request, seq 2, length 64
20:10:52.318842 IP6 fd73:d95d:a475:1000::1 > fd73:d95d:a475:c80::17: ICMP6,
echo reply, seq 2, length 64
20:10:53.305912 IP6 fd73:d95d:a475:c80::17 > fd73:d95d:a475:1000::1: ICMP6,
echo request, seq 3, length 64
20:10:53.321208 IP6 fd73:d95d:a475:1000::1 > fd73:d95d:a475:c80::17: ICMP6,
echo reply, seq 3, length 64
20:10:54.307266 IP6 fd73:d95d:a475:c80::17 > fd73:d95d:a475:1000::1: ICMP6,
echo request, seq 4, length 64
20:10:54.322575 IP6 fd73:d95d:a475:2005::1 > fd73:d95d:a475:c80::17: ICMP6,
destination unreachable, unreachable address fd73:d95d:a475:1000::1, length 112
20:10:54.323467 IP6 fd73:d95d:a475:1000::1 > fd73:d95d:a475:c80::17: ICMP6,
echo reply, seq 4, length 64
Exactly the same behaviour can be observed when "host1" contacts "host2" via
TCP or UDP. The same network also has IPv4 deployed with the equivalent TEE
rule, which works flawlessly, copies of all relevant packets are sent to host
"monitor".
Summary:
Desired behaviour: Router "gw" sends a copy of a packet from "host1" to "host2"
to host "monitor".
Observed behaviour: Router "gw" tries to send a copy of a packet from "host1"
to "host2" to the original recipient ip address ("host2"), but on the interface
"monitor" is connected (eth2), so it does a neighbor solicitation for the
original recipient ip address.
Thanks for looking into this. I tried to debug the code myself for a few hours,
but did not succeed. Please contact me if I can be of any help, thanks!
Best regards,
Alex
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list