subject:"Re\: IPv6 Parameter problem with no ICMPv6 response \?"

Re: IPv6 Parameter problem with no ICMPv6 response ?

2018-02-05 Thread David McCullough


Pablo Neira Ayuso wrote the following:
> On Mon, Feb 05, 2018 at 01:16:08PM +0100, Pablo Neira Ayuso wrote:
> > On Mon, Feb 05, 2018 at 01:58:26PM +1000, David McCullough wrote:
> > > 
> > > Hi devel,
> > > 
> > > I am looking for some feedback on IPv6 behaviour with/without netfilter in
> > > the path.  We are in process of some IPv6 certification at a lab.
> > > 
> > > RFC2460 has a bunch of conditions under which certain ICMPv6 responses
> > > should be sent.  This is even commented in the code.
> > > 
> > > linux/net/ipv6/reassembly.c:255
> > > /* Check if the fragment is rounded to 8 bytes.
> > >  * Required by the RFC.
> > >  */
> > > if (end & 0x7) {
> > > /* RFC2460 says always send parameter problem in
> > >  * this case. -DaveM
> > >  */
> > > __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
> > > IPSTATS_MIB_INHDRERRORS);
> > > icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
> > >   offsetof(struct ipv6hdr, 
> > > payload_len));   
> > > return -1;
> > > }
> > > 
> > > linux/net/ipv6/netfilter/nf_conntrack_reasm.c:259
> > > /* Check if the fragment is rounded to 8 bytes.
> > >  * Required by the RFC.
> > >  */
> > > if (end & 0x7) {
> > > /* RFC2460 says always send parameter problem in
> > >  * this case. -DaveM
> > >  */
> > > pr_debug("end of fragment not rounded to 8 
> > > bytes.\n");
> > > return -1;  
> > > }
> > > 
> > > The behaviour of the non-netfilter code is what the certification is 
> > > expecting.
> > > We are using conntracking though and I can see no way to avoid the above
> > > netfilter code from silently dropping the packet and not responding 
> > > correctly.
> > > 
> > > We experiemented with the patch below and it provided the appropriate
> > > responses but we were not sure this is the best approach.  Happy to send 
> > > in
> > > a proper patch if this looks ok.
> > 
> > Probably you're refering to this fix?
> > 
> > commit 83f1999caeb14e15df205e80d210699951733287
> > Author: Subash Abhinov Kasiviswanathan 
> > Date:   Fri Jan 12 17:36:27 2018 -0700
> > 
> > netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460
> 
> You will also need this follow up amendment on top of it:
> 
> commit ea23d5e3bf340e413b8e05c13da233c99c64142b
> Author: Subash Abhinov Kasiviswanathan 
> Date:   Wed Jan 31 04:50:01 2018 -0700
> 
> netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure

Awesome,  thanks, wasn't aware of the patch,   will check it out,

Cheers,
Davidm

-- 
David McCullough,  david.mccullo...@accelerated.com,   Ph: 0410 560 763
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: IPv6 Parameter problem with no ICMPv6 response ?

2018-02-05 Thread Pablo Neira Ayuso

On Mon, Feb 05, 2018 at 01:16:08PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Feb 05, 2018 at 01:58:26PM +1000, David McCullough wrote:
> > 
> > Hi devel,
> > 
> > I am looking for some feedback on IPv6 behaviour with/without netfilter in
> > the path.  We are in process of some IPv6 certification at a lab.
> > 
> > RFC2460 has a bunch of conditions under which certain ICMPv6 responses
> > should be sent.  This is even commented in the code.
> > 
> > linux/net/ipv6/reassembly.c:255
> > /* Check if the fragment is rounded to 8 bytes.
> >  * Required by the RFC.
> >  */
> > if (end & 0x7) {
> > /* RFC2460 says always send parameter problem in
> >  * this case. -DaveM
> >  */
> > __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
> > IPSTATS_MIB_INHDRERRORS);
> > icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
> >   offsetof(struct ipv6hdr, 
> > payload_len));   
> > return -1;
> > }
> > 
> > linux/net/ipv6/netfilter/nf_conntrack_reasm.c:259
> > /* Check if the fragment is rounded to 8 bytes.
> >  * Required by the RFC.
> >  */
> > if (end & 0x7) {
> > /* RFC2460 says always send parameter problem in
> >  * this case. -DaveM
> >  */
> > pr_debug("end of fragment not rounded to 8 
> > bytes.\n");
> > return -1;  
> > }
> > 
> > The behaviour of the non-netfilter code is what the certification is 
> > expecting.
> > We are using conntracking though and I can see no way to avoid the above
> > netfilter code from silently dropping the packet and not responding 
> > correctly.
> > 
> > We experiemented with the patch below and it provided the appropriate
> > responses but we were not sure this is the best approach.  Happy to send in
> > a proper patch if this looks ok.
> 
> Probably you're refering to this fix?
> 
> commit 83f1999caeb14e15df205e80d210699951733287
> Author: Subash Abhinov Kasiviswanathan 
> Date:   Fri Jan 12 17:36:27 2018 -0700
> 
> netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460

You will also need this follow up amendment on top of it:

commit ea23d5e3bf340e413b8e05c13da233c99c64142b
Author: Subash Abhinov Kasiviswanathan 
Date:   Wed Jan 31 04:50:01 2018 -0700

netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: IPv6 Parameter problem with no ICMPv6 response ?

2018-02-05 Thread Pablo Neira Ayuso

On Mon, Feb 05, 2018 at 01:58:26PM +1000, David McCullough wrote:
> 
> Hi devel,
> 
> I am looking for some feedback on IPv6 behaviour with/without netfilter in
> the path.  We are in process of some IPv6 certification at a lab.
> 
> RFC2460 has a bunch of conditions under which certain ICMPv6 responses
> should be sent.  This is even commented in the code.
> 
> linux/net/ipv6/reassembly.c:255
> /* Check if the fragment is rounded to 8 bytes.
>  * Required by the RFC.
>  */
> if (end & 0x7) {
> /* RFC2460 says always send parameter problem in
>  * this case. -DaveM
>  */
> __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
> IPSTATS_MIB_INHDRERRORS);
> icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
>   offsetof(struct ipv6hdr, 
> payload_len));   
> return -1;
> }
> 
> linux/net/ipv6/netfilter/nf_conntrack_reasm.c:259
> /* Check if the fragment is rounded to 8 bytes.
>  * Required by the RFC.
>  */
> if (end & 0x7) {
> /* RFC2460 says always send parameter problem in
>  * this case. -DaveM
>  */
> pr_debug("end of fragment not rounded to 8 bytes.\n");
> return -1;  
> }
> 
> The behaviour of the non-netfilter code is what the certification is 
> expecting.
> We are using conntracking though and I can see no way to avoid the above
> netfilter code from silently dropping the packet and not responding correctly.
> 
> We experiemented with the patch below and it provided the appropriate
> responses but we were not sure this is the best approach.  Happy to send in
> a proper patch if this looks ok.

Probably you're refering to this fix?

commit 83f1999caeb14e15df205e80d210699951733287
Author: Subash Abhinov Kasiviswanathan 
Date:   Fri Jan 12 17:36:27 2018 -0700

netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: IPv6 Parameter problem with no ICMPv6 response ?

Re: IPv6 Parameter problem with no ICMPv6 response ?

Re: IPv6 Parameter problem with no ICMPv6 response ?

3 matches

Site Navigation

Mail list logo

Footer information