ufw

Bug #720605
Comment #2

Comment 2 for bug 720605

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-03-21:

Thank you for using ufw and reporting a bug. First off, you are right about ff00::1/8 and ff00::2/8. Not sure what happened there... clearly a think-o and I have committed that change to trunk.

As for the dropping sane multicast traffic part, I can confirm the behavior, but I am still thinking about it. What is happening is that the reply goes out, but the kernel is marking the reply as INVALID. Eg (this requires a patch from trunk to clearly log the packet as INVALID):
$ sudo ufw medium
$ ping6 -c 1 ff02::1%eth0
Mar 21 16:58:51 foo kernel: [4439947.485144] [UFW ALLOW] IN= OUT=eth0 SRC=fe80:0000:0000:0000:0200:1122:3344:5566 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=1065 SEQ=1
Mar 21 16:58:51 foo kernel: [4439947.485588] [UFW AUDIT] IN=eth0 OUT= MAC= SRC=fe80:0000:0000:0000:0200:1122:3344:5566 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=1065 SEQ=1
Mar 21 16:58:51 foo kernel: [4439947.487214] [UFW BLOCK INVALID] IN=eth0 OUT= MAC=... SRC=fe80:0000:0000:0000:0200:1122:3344:5577 DST=fe80:0000:0000:0000:0200:1122:3344:5566 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=1065 SEQ=1
Mar 21 16:58:51 foo kernel: [4439947.487609] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=fe80:0000:0000:0000:0200:1122:3344:5577 DST=fe80:0000:0000:0000:0200:1122:3344:5566 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=1065 SEQ=1
Mar 21 16:58:51 foo kernel: [4439947.488253] [UFW BLOCK INVALID] IN=eth0 OUT= MAC=... SRC=fe80:0000:0000:0000:0200:1122:3344:5588 DST=fe80:0000:0000:0000:0200:1122:3344:5566 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=1065 SEQ=1
Mar 21 16:58:51 foo kernel: [4439947.488644] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=fe80:0000:0000:0000:0200:1122:3344:5588 DST=fe80:0000:0000:0000:0200:1122:3344:5566 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=1065 SEQ=1

Notice the two PROTO=ICMPv6 TYPE=129 (echo reply) packets are blocked. I will probably fix this with what you suggested, but want to think about it some more.

Thank you for using ufw and reporting a bug. First off, you are right about ff00::1/8 and ff00::2/8. Not sure what happened there... clearly a think-o and I have committed that change to trunk.

As for the dropping sane multicast traffic part, I can confirm the behavior, but I am still thinking about it. What is happening is that the reply goes out, but the kernel is marking the reply as INVALID. Eg (this requires a patch from trunk to clearly log the packet as INVALID):
$ sudo ufw medium
$ ping6 -c 1 ff02::1%eth0
Mar 21 16:58:51 foo kernel: [4439947.485144] [UFW ALLOW] IN= OUT=eth0 SRC=fe80:0000:0000:0000:0200:1122:3344:5566 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=1065 SEQ=1 
Mar 21 16:58:51 foo kernel: [4439947.485588] [UFW AUDIT] IN=eth0 OUT= MAC= SRC=fe80:0000:0000:0000:0200:1122:3344:5566 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=1065 SEQ=1 
Mar 21 16:58:51 foo kernel: [4439947.487214] [UFW BLOCK INVALID] IN=eth0 OUT= MAC=... SRC=fe80:0000:0000:0000:0200:1122:3344:5577 DST=fe80:0000:0000:0000:0200:1122:3344:5566 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=1065 SEQ=1 
Mar 21 16:58:51 foo kernel: [4439947.487609] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=fe80:0000:0000:0000:0200:1122:3344:5577 DST=fe80:0000:0000:0000:0200:1122:3344:5566 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=1065 SEQ=1 
Mar 21 16:58:51 foo kernel: [4439947.488253] [UFW BLOCK INVALID] IN=eth0 OUT= MAC=... SRC=fe80:0000:0000:0000:0200:1122:3344:5588 DST=fe80:0000:0000:0000:0200:1122:3344:5566 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=1065 SEQ=1 
Mar 21 16:58:51 foo kernel: [4439947.488644] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=fe80:0000:0000:0000:0200:1122:3344:5588 DST=fe80:0000:0000:0000:0200:1122:3344:5566 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=1065 SEQ=1

Notice the two PROTO=ICMPv6 TYPE=129 (echo reply) packets are blocked. I will probably fix this with what you suggested, but want to think about it some more.