ipv6 conntrack fails to match certain packets with fragmentation header

Bug #788637 reported by Nathan Lutchansky on 2011-05-26
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Low
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Low
Unassigned

Bug Description

Binary package hint: linux-image-2.6.32-31-server

Linux kernels prior to 2.6.34 have a bug which causes IPv6 packets containing a fragmentation header with offset=0 and the MF bit clear to not be properly matched by IPv6 conntrack. These kinds of packets are becoming much more common on the Internet because RFC6145-compliant NAT64 implementations specify that this header should be added to any translated IPv4 packet with the DF bit clear.

I have attached the upstream patch that fixed the problem in 2.6.34. I have confirmed that it applies to Lucid's 2.6.32-31 and fixes the problem.

To demonstrate the problem more clearly, here is what happens when stock Ubuntu 2.6.32-31 from Lucid tries to match a NAT64-translated HTTP session to Google:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
   40 30503 ACCEPT all * * ::/0 ::/0 state ESTABLISHED
    0 0 ACCEPT all * * ::/0 ::/0 state RELATED
    5 686 ACCEPT all * * ::/0 ::/0 state NEW
   24 1735 ACCEPT all * * ::/0 ::/0 state INVALID

Note all the INVALID packets, and there should only be a single NEW packet.

With the patch applied, here is the result:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
   66 32707 ACCEPT all * * ::/0 ::/0 state ESTABLISHED
    0 0 ACCEPT all * * ::/0 ::/0 state RELATED
    1 80 ACCEPT all * * ::/0 ::/0 state NEW
    0 0 ACCEPT all * * ::/0 ::/0 state INVALID

This is the correct and expected result.

Please apply the attached patch to the Lucid kernel so that Lucid can be used as an IPv6 stateful firewall.

tags: added: lucid

The following change was made for 2.6.34 but did not make it into stable
releases before.

commit 9e2dcf72023d1447f09c47d77c99b0c49659e5ce
Author: Patrick McHardy <email address hidden>
Date: Fri Feb 19 18:18:37 2010 +0100

     netfilter: nf_conntrack_reasm: properly handle packets fragmented into a
     single fragment

In https://bugs.launchpad.net/ubuntu/+source/linux/+bug/788637 it is confirmed
to be fixing the 2.6.32 case. So this seems like a candidate for .33 and .32 at
least.

-Stefan

Changed in linux (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Stefan Bader (smb) wrote :

Above mail sent to stable mailing list.

On Mon, May 30, 2011 at 10:25:32AM +0200, Stefan Bader wrote:
> The following change was made for 2.6.34 but did not make it into
> stable releases before.
>
> commit 9e2dcf72023d1447f09c47d77c99b0c49659e5ce
> Author: Patrick McHardy <email address hidden>
> Date: Fri Feb 19 18:18:37 2010 +0100
>
> netfilter: nf_conntrack_reasm: properly handle packets fragmented into a
> single fragment
>
> In https://bugs.launchpad.net/ubuntu/+source/linux/+bug/788637 it is
> confirmed to be fixing the 2.6.32 case. So this seems like a
> candidate for .33 and .32 at least.

Now queued up, thanks.

greg k-h

Looks like this patch was applied to Lucid, Maverick, Natty, and Oneiric. Marking Fix Released for all series. Thanks.

Changed in linux (Ubuntu Oneiric):
status: Triaged → Fix Released
Changed in linux (Ubuntu Natty):
status: New → Fix Released
Changed in linux (Ubuntu Maverick):
status: New → Fix Released
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers