ipv6 conntrack fails to match certain packets with fragmentation header
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
| Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
| Maverick |
Fix Released
|
Undecided
|
Unassigned | ||
| Natty |
Fix Released
|
Undecided
|
Unassigned | ||
| Oneiric |
Fix Released
|
Low
|
Unassigned | ||
Bug Description
Binary package hint: linux-image-
Linux kernels prior to 2.6.34 have a bug which causes IPv6 packets containing a fragmentation header with offset=0 and the MF bit clear to not be properly matched by IPv6 conntrack. These kinds of packets are becoming much more common on the Internet because RFC6145-compliant NAT64 implementations specify that this header should be added to any translated IPv4 packet with the DF bit clear.
I have attached the upstream patch that fixed the problem in 2.6.34. I have confirmed that it applies to Lucid's 2.6.32-31 and fixes the problem.
To demonstrate the problem more clearly, here is what happens when stock Ubuntu 2.6.32-31 from Lucid tries to match a NAT64-translated HTTP session to Google:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 30503 ACCEPT all * * ::/0 ::/0 state ESTABLISHED
0 0 ACCEPT all * * ::/0 ::/0 state RELATED
5 686 ACCEPT all * * ::/0 ::/0 state NEW
24 1735 ACCEPT all * * ::/0 ::/0 state INVALID
Note all the INVALID packets, and there should only be a single NEW packet.
With the patch applied, here is the result:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
66 32707 ACCEPT all * * ::/0 ::/0 state ESTABLISHED
0 0 ACCEPT all * * ::/0 ::/0 state RELATED
1 80 ACCEPT all * * ::/0 ::/0 state NEW
0 0 ACCEPT all * * ::/0 ::/0 state INVALID
This is the correct and expected result.
Please apply the attached patch to the Lucid kernel so that Lucid can be used as an IPv6 stateful firewall.
| Nathan Lutchansky (nathan-launchpad) wrote | #1 |
| tags: | added: lucid |
| Stefan Bader (smb) wrote Please consider "netfilter: nf_conntrack_reasm: properly handle packets fragmented into a single fragment" for .32 and .33 longterm | #2 |
| Changed in linux (Ubuntu): | |
| importance: | Undecided → Low |
| status: | New → Triaged |
| Stefan Bader (smb) wrote | #3 |
| Greg KH (greg-kroah) wrote Re: [stable] Please consider "netfilter: nf_conntrack_reasm: properly handle packets fragmented into a single fragment" for .32 and .33 longterm | #4 |
| Leann Ogasawara (leannogasawara) wrote | #5 |
| Changed in linux (Ubuntu Oneiric): | |
| status: | Triaged → Fix Released |
| Changed in linux (Ubuntu Natty): | |
| status: | New → Fix Released |
| Changed in linux (Ubuntu Maverick): | |
| status: | New → Fix Released |
| Changed in linux (Ubuntu Lucid): | |
| status: | New → Fix Released |
The following change was made for 2.6.34 but did not make it into stable
releases before.
commit 9e2dcf72023d144
Author: Patrick McHardy <email address hidden>
Date: Fri Feb 19 18:18:37 2010 +0100
netfilter: nf_conntrack_reasm: properly handle packets fragmented into a
single fragment
In https:/
to be fixing the 2.6.32 case. So this seems like a candidate for .33 and .32 at
least.
-Stefan