Re: [Shorewall-users] shorewall6: IP fragementation getting blocked?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 12/3/12 7:19 PM, Hugh Davenport wrote:
> Hey,
> 
> I have a setup that has one machine communicating to a server using UDP 
> over IPv6. For specifics, it is using collectd with a boosted 
> MaxPacketSize in the network config.
> 
> What this means is there is some IP fragmentation happening, and that 
> is getting REJECTed. My policy is to REJECT, and I have an ALLOW for the 
> particular communication I want. What I'm getting in my logs is (I've 
> logged the ACCEPT rule for clarity):
> 
> Dec  4 16:11:19 xxxx kernel: [67682.239124] 
> Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0 
> SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 
> DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63 
> FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826 
> LEN=1905
> Dec  4 16:11:19 xxxx kernel: [67682.239148] 
> Shorewall:int2dmz:REJECT:IN=br1 OUT=br0 
> SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 
> DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63 
> FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP
> 
> The rule I have is:
> ACCEPT:info     int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \
>                          
> dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \
>                                  udp     25826
> 
> 
> Does anyone have any ideas on how I can ALLOW this fragmentation?

As I understand the traffic on Netfilter-devel, unless you are running a
recent 3.5+ kernel, IPv6 fragment handling in IPv6 is quite broken in
Netfilter.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________