ipv6 conntrack fails to match certain packets with fragmentation header
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Low
|
Unassigned |
Bug Description
Binary package hint: linux-image-
Linux kernels prior to 2.6.34 have a bug which causes IPv6 packets containing a fragmentation header with offset=0 and the MF bit clear to not be properly matched by IPv6 conntrack. These kinds of packets are becoming much more common on the Internet because RFC6145-compliant NAT64 implementations specify that this header should be added to any translated IPv4 packet with the DF bit clear.
I have attached the upstream patch that fixed the problem in 2.6.34. I have confirmed that it applies to Lucid's 2.6.32-31 and fixes the problem.
To demonstrate the problem more clearly, here is what happens when stock Ubuntu 2.6.32-31 from Lucid tries to match a NAT64-translated HTTP session to Google:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 30503 ACCEPT all * * ::/0 ::/0 state ESTABLISHED
0 0 ACCEPT all * * ::/0 ::/0 state RELATED
5 686 ACCEPT all * * ::/0 ::/0 state NEW
24 1735 ACCEPT all * * ::/0 ::/0 state INVALID
Note all the INVALID packets, and there should only be a single NEW packet.
With the patch applied, here is the result:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
66 32707 ACCEPT all * * ::/0 ::/0 state ESTABLISHED
0 0 ACCEPT all * * ::/0 ::/0 state RELATED
1 80 ACCEPT all * * ::/0 ::/0 state NEW
0 0 ACCEPT all * * ::/0 ::/0 state INVALID
This is the correct and expected result.
Please apply the attached patch to the Lucid kernel so that Lucid can be used as an IPv6 stateful firewall.
tags: | added: lucid |
The following change was made for 2.6.34 but did not make it into stable
releases before.
commit 9e2dcf72023d144 7f09c47d77c99b0 c49659e5ce
Author: Patrick McHardy <email address hidden>
Date: Fri Feb 19 18:18:37 2010 +0100
netfilter: nf_conntrack_reasm: properly handle packets fragmented into a
single fragment
In https:/ /bugs.launchpad .net/ubuntu/ +source/ linux/+ bug/788637 it is confirmed
to be fixing the 2.6.32 case. So this seems like a candidate for .33 and .32 at
least.
-Stefan