From: Tom E. <te...@sh...> - 2012-12-04 03:51:21
|
On 12/3/12 7:19 PM, Hugh Davenport wrote: > Hey, > > I have a setup that has one machine communicating to a server using UDP > over IPv6. For specifics, it is using collectd with a boosted > MaxPacketSize in the network config. > > What this means is there is some IP fragmentation happening, and that > is getting REJECTed. My policy is to REJECT, and I have an ALLOW for the > particular communication I want. What I'm getting in my logs is (I've > logged the ACCEPT rule for clarity): > > Dec 4 16:11:19 xxxx kernel: [67682.239124] > Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0 > SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx > DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63 > FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826 > LEN=1905 > Dec 4 16:11:19 xxxx kernel: [67682.239148] > Shorewall:int2dmz:REJECT:IN=br1 OUT=br0 > SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx > DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63 > FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP > > The rule I have is: > ACCEPT:info int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ > > dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ > udp 25826 > > > Does anyone have any ideas on how I can ALLOW this fragmentation? As I understand the traffic on Netfilter-devel, unless you are running a recent 3.5+ kernel, IPv6 fragment handling in IPv6 is quite broken in Netfilter. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |