Public bug reported:
Binary package hint: linux-image-2.6.32-31-server
Linux kernels prior to 2.6.34 have a bug which causes IPv6 packets
containing a fragmentation header with offset=0 and the MF bit clear to
not be properly matched by IPv6 conntrack. These kinds of packets are
becoming much more common on the Internet because RFC6145-compliant
NAT64 implementations specify that this header should be added to any
translated IPv4 packet with the DF bit clear.
I have attached the upstream patch that fixed the problem in 2.6.34. I
have confirmed that it applies to Lucid's 2.6.32-31 and fixes the
problem.
To demonstrate the problem more clearly, here is what happens when stock
Ubuntu 2.6.32-31 from Lucid tries to match a NAT64-translated HTTP
session to Google:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 30503 ACCEPT all * * ::/0 ::/0
state ESTABLISHED
0 0 ACCEPT all * * ::/0 ::/0
state RELATED
5 686 ACCEPT all * * ::/0 ::/0
state NEW
24 1735 ACCEPT all * * ::/0 ::/0
state INVALID
Note all the INVALID packets, and there should only be a single NEW
packet.
With the patch applied, here is the result:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
66 32707 ACCEPT all * * ::/0 ::/0
state ESTABLISHED
0 0 ACCEPT all * * ::/0 ::/0
state RELATED
1 80 ACCEPT all * * ::/0 ::/0
state NEW
0 0 ACCEPT all * * ::/0 ::/0
state INVALID
This is the correct and expected result.
Please apply the attached patch to the Lucid kernel so that Lucid can be
used as an IPv6 stateful firewall.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/788637
Title:
ipv6 conntrack fails to match certain packets with fragmentation
header
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
