top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Dropping UNTRACKED packets, breaks IPv6 - why?

0 votes
565 views

I usually have some default rules in place on all nodes which look about like this:

-A INPUT --in-interface lo -j ACCEPT
-A OUTPUT --out-interface lo -j ACCEPT

-A INPUT -m state --state UNTRACKED -j DROP
-A FORWARD -m state --state UNTRACKED -j DROP
-A OUTPUT -m state --state UNTRACKED -j DROP

-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP

#handle IPsec only sources/destinations
#snip/snap

#allow incoming packets for all established and all related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow incoming ICMP packets
-A INPUT --protocol icmpv6 -j ACCEPT

And the same for IPv4.

The idea with dropping the UNTRACKED/INVALID was that such packages are probably not good fellows and should stay out...

Okay... now with IPv4 everything works as expected...

But with v6 nothing works at all and I get Destination unreachable (even on pings)... I can't even reach the gateway.

When I disable dropping the untracked packets... it starts working,..even when afterwards I enable it again.
Seems that there is some connection between the host an the gateway shown then by conntrack.

Now... question is why?

posted Jul 26, 2013 by Sumit Pokharna

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

2 Answers

+1 vote

You should not blindly drop UNTRACKED or INVALID IPv6 packets.

Originally, ICMPv6 types related to NDP (Neighbour Discovery Protocol), i.e. Router Solicitation and Router Advertisement (used for stateless autoconfiguration), Neighbour Solicitation and Neighbour Advertisement
(used as a replacement for ARP request and reply), and a few others had the INVALID state. However these types are required for proper IPv6 operation on ethernet-like links. Since kernel 2.6.29, they are not tracked any more and have the UNTRACKED state. See the commit below.

commit 3f9007135c1dc896db9a9e35920aafc65b157230
Author: Eric Leblond
Date: Mon Feb 9 14:33:20 2009 -0800

netfilter: nf_conntrack_ipv6: don't track ICMPv6 negotiation message

This patch removes connection tracking handling for ICMPv6 messages related to Stateless Address Autoconfiguration, MLD, and MLDv2. They can not be tracked because they are massively using multicast (on pre-defined address). But they are not invalid and should not be detected as such.

Signed-off-by: Eric Leblond
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

answer Jul 27, 2013 by Sonu Jindal
0 votes
  1. Could you provide a ip6tables-save format ruleset?
  2. What is the default policy? I guess you are not allowing ICMP messages in OUTPUT. ICMP messages are important in IPv6.
answer Jul 26, 2013 by Salil Agrawal
Similar Questions
+2 votes

I have a process which is running as a linux service and assigns IP addresses using netlink to configued interface in linux.
For IPv4 addresses i do not see any issue with this assignment.

When i try to assign an IPv6 address, the address gets assigned successfully to the interface, but the Neighbour Solication request received for that address is not responded with and hence ping6 from a different machine doesn't work.

When i take the same netlink code and run it in a sample program the address gets assigned and the Neighbour solicitation is responded with a advertisement and hence ping6 works.

IP assigned by the program : 7000::15/32
IP on client machine from where ping6 is done : 7000::17/32.

Bot machines are connected to same Layer-2 switch.

I have flushed the ip6tables on both the machines just to rule out any firewall issues.

0 votes

I'm afraid that I've done an incredibly stupid thing. First. I removed IPV6 from my system. Second, I upgraded to Ubuntu13.04. Third, I misplaced the instructions for deleting IPV6. Now, I evidently need IPV6 and don't know how to reverse my past sins can someone help me out? I think that I removed ipV6 by changing a configuration file and then remaking Grub.

I can't even find the configuration file in 13.04.

+3 votes

When I read wiki , its written like this

As of 6 February 2010, multihoming in the next-generation Internet Protocol (IPv6) 
was not yet standardized

Is it supported now ?

+3 votes

Is IPv6 a must for LTE? Can we have a device supporting only IPv4 or can operator launch a service with IPV4 support?

...