All of lore.kernel.org
 help / color / mirror / Atom feed
* IPV6 nf defrag does not work
@ 2013-10-29 10:52 Jiri Pirko
  2013-10-29 11:56 ` Florian Westphal
  2013-10-29 14:30 ` Jiri Pirko
  0 siblings, 2 replies; 4+ messages in thread
From: Jiri Pirko @ 2013-10-29 10:52 UTC (permalink / raw)
  To: netdev; +Cc: pablo, netfilter-devel, yoshfuji, kadlec, kaber

Hi All.

On the current net-next if you on HOSTA do:
ip6tables -I INPUT -p icmpv6 -j DROP
ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT

and on HOSTB you do:
ping6 HOSTA -s2000    (MTU is 1500)

Only the first ICMP echo request will be passed through, the rest is not
passed on HOSTA. This issue does not occur with smaller packets than MTU (where
fragmentation does not happen).

I'm trying to find out where the problem is.

Any quick ideas?

Thanks

Jiri

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: IPV6 nf defrag does not work
  2013-10-29 10:52 IPV6 nf defrag does not work Jiri Pirko
@ 2013-10-29 11:56 ` Florian Westphal
  2013-10-29 12:03   ` Jiri Pirko
  2013-10-29 14:30 ` Jiri Pirko
  1 sibling, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2013-10-29 11:56 UTC (permalink / raw)
  To: Jiri Pirko; +Cc: netdev, pablo, netfilter-devel, yoshfuji, kadlec, kaber

Jiri Pirko <jiri@resnulli.us> wrote:
> On the current net-next if you on HOSTA do:
> ip6tables -I INPUT -p icmpv6 -j DROP
> ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT
> 
> and on HOSTB you do:
> ping6 HOSTA -s2000    (MTU is 1500)
> 
> Only the first ICMP echo request will be passed through, the rest is not
> passed on HOSTA. This issue does not occur with smaller packets than MTU (where
> fragmentation does not happen).
>
> I'm trying to find out where the problem is.

Are you sure this is new behaviour? As far back as I can remember
it was always like this.

in ip6tables, the individual fragments are sent through the ruleset,
iow. you'll need to make use of '-m conntrack' to match the fragments
belonging to an existing connection.

I don't know why this is, and I don't like this either.
But this is how it was implemented, see

net/ipv6/netfilter/nf_defrag_ipv6_hooks.c, ipv6_defrag() ->
nf_ct_frag6_output()

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: IPV6 nf defrag does not work
  2013-10-29 11:56 ` Florian Westphal
@ 2013-10-29 12:03   ` Jiri Pirko
  0 siblings, 0 replies; 4+ messages in thread
From: Jiri Pirko @ 2013-10-29 12:03 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netdev, pablo, netfilter-devel, yoshfuji, kadlec, kaber

Tue, Oct 29, 2013 at 12:56:17PM CET, fw@strlen.de wrote:
>Jiri Pirko <jiri@resnulli.us> wrote:
>> On the current net-next if you on HOSTA do:
>> ip6tables -I INPUT -p icmpv6 -j DROP
>> ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT
>> 
>> and on HOSTB you do:
>> ping6 HOSTA -s2000    (MTU is 1500)
>> 
>> Only the first ICMP echo request will be passed through, the rest is not
>> passed on HOSTA. This issue does not occur with smaller packets than MTU (where
>> fragmentation does not happen).
>>
>> I'm trying to find out where the problem is.
>
>Are you sure this is new behaviour? As far back as I can remember
>it was always like this.

Yes. This is not new.

>
>in ip6tables, the individual fragments are sent through the ruleset,
>iow. you'll need to make use of '-m conntrack' to match the fragments
>belonging to an existing connection.

Hmm. I think that it is not correct to force user (iptables user) to
make dirrerent rules because some ipv6 packets might be fragmented.
This should be handled in kernel.

>
>I don't know why this is, and I don't like this either.
>But this is how it was implemented, see
>
>net/ipv6/netfilter/nf_defrag_ipv6_hooks.c, ipv6_defrag() ->
>nf_ct_frag6_output()

Yep. I'm studying the code atm.



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: IPV6 nf defrag does not work
  2013-10-29 10:52 IPV6 nf defrag does not work Jiri Pirko
  2013-10-29 11:56 ` Florian Westphal
@ 2013-10-29 14:30 ` Jiri Pirko
  1 sibling, 0 replies; 4+ messages in thread
From: Jiri Pirko @ 2013-10-29 14:30 UTC (permalink / raw)
  To: netdev; +Cc: pablo, netfilter-devel, yoshfuji, kadlec, kaber

Tue, Oct 29, 2013 at 11:52:08AM CET, jiri@resnulli.us wrote:
>Hi All.
>
>On the current net-next if you on HOSTA do:
>ip6tables -I INPUT -p icmpv6 -j DROP
>ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT
>
>and on HOSTB you do:
>ping6 HOSTA -s2000    (MTU is 1500)
>
>Only the first ICMP echo request will be passed through, the rest is not
>passed on HOSTA. This issue does not occur with smaller packets than MTU (where
>fragmentation does not happen).
>

Hmm. The reason why first packet goes through is because of:
commit 58a317f1061c894d2344c0b6a18ab4a64b69b815
Author: Patrick McHardy <kaber@trash.net>
Date:   Sun Aug 26 19:14:12 2012 +0200

    netfilter: ipv6: add IPv6 NAT support


First packet will hit "if ((help && help->helper) || !nf_ct_is_confirmed(ct))"
(ct is uncorfirmed for it).


For this, nf_conntrack_ipv6 has to be loaded. Continuing investigation.



>I'm trying to find out where the problem is.
>
>Any quick ideas?
>
>Thanks
>
>Jiri

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-10-29 14:30 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-10-29 10:52 IPV6 nf defrag does not work Jiri Pirko
2013-10-29 11:56 ` Florian Westphal
2013-10-29 12:03   ` Jiri Pirko
2013-10-29 14:30 ` Jiri Pirko

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.