ipv6 conntrack fails to match certain packets with fragmentation header

Bug #788637 reported by Nathan Lutchansky
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Low
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Low
Unassigned

Bug Description

Binary package hint: linux-image-2.6.32-31-server

Linux kernels prior to 2.6.34 have a bug which causes IPv6 packets containing a fragmentation header with offset=0 and the MF bit clear to not be properly matched by IPv6 conntrack. These kinds of packets are becoming much more common on the Internet because RFC6145-compliant NAT64 implementations specify that this header should be added to any translated IPv4 packet with the DF bit clear.

I have attached the upstream patch that fixed the problem in 2.6.34. I have confirmed that it applies to Lucid's 2.6.32-31 and fixes the problem.

To demonstrate the problem more clearly, here is what happens when stock Ubuntu 2.6.32-31 from Lucid tries to match a NAT64-translated HTTP session to Google:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
   40 30503 ACCEPT all * * ::/0 ::/0 state ESTABLISHED
    0 0 ACCEPT all * * ::/0 ::/0 state RELATED
    5 686 ACCEPT all * * ::/0 ::/0 state NEW
   24 1735 ACCEPT all * * ::/0 ::/0 state INVALID

Note all the INVALID packets, and there should only be a single NEW packet.

With the patch applied, here is the result:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
   66 32707 ACCEPT all * * ::/0 ::/0 state ESTABLISHED
    0 0 ACCEPT all * * ::/0 ::/0 state RELATED
    1 80 ACCEPT all * * ::/0 ::/0 state NEW
    0 0 ACCEPT all * * ::/0 ::/0 state INVALID

This is the correct and expected result.

Please apply the attached patch to the Lucid kernel so that Lucid can be used as an IPv6 stateful firewall.

Revision history for this message
Nathan Lutchansky (nathan-launchpad) wrote :
tags: added: lucid
Revision history for this message
Stefan Bader (smb) wrote : Please consider "netfilter: nf_conntrack_reasm: properly handle packets fragmented into a single fragment" for .32 and .33 longterm

The following change was made for 2.6.34 but did not make it into stable
releases before.

commit 9e2dcf72023d1447f09c47d77c99b0c49659e5ce
Author: Patrick McHardy <email address hidden>
Date: Fri Feb 19 18:18:37 2010 +0100

     netfilter: nf_conntrack_reasm: properly handle packets fragmented into a
     single fragment

In https://bugs.launchpad.net/ubuntu/+source/linux/+bug/788637 it is confirmed
to be fixing the 2.6.32 case. So this seems like a candidate for .33 and .32 at
least.

-Stefan

Changed in linux (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Stefan Bader (smb) wrote :

Above mail sent to stable mailing list.

Revision history for this message
Greg KH (greg-kroah) wrote : Re: [stable] Please consider "netfilter: nf_conntrack_reasm: properly handle packets fragmented into a single fragment" for .32 and .33 longterm

On Mon, May 30, 2011 at 10:25:32AM +0200, Stefan Bader wrote:
> The following change was made for 2.6.34 but did not make it into
> stable releases before.
>
> commit 9e2dcf72023d1447f09c47d77c99b0c49659e5ce
> Author: Patrick McHardy <email address hidden>
> Date: Fri Feb 19 18:18:37 2010 +0100
>
> netfilter: nf_conntrack_reasm: properly handle packets fragmented into a
> single fragment
>
> In https://bugs.launchpad.net/ubuntu/+source/linux/+bug/788637 it is
> confirmed to be fixing the 2.6.32 case. So this seems like a
> candidate for .33 and .32 at least.

Now queued up, thanks.

greg k-h

Revision history for this message
Leann Ogasawara (leannogasawara) wrote :

Looks like this patch was applied to Lucid, Maverick, Natty, and Oneiric. Marking Fix Released for all series. Thanks.

Changed in linux (Ubuntu Oneiric):
status: Triaged → Fix Released
Changed in linux (Ubuntu Natty):
status: New → Fix Released
Changed in linux (Ubuntu Maverick):
status: New → Fix Released
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers