[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: IPv6 connection tracking mDNS
From:       Pascal Hambourg <pascal () plouf ! fr ! eu ! org>
Date:       2013-05-25 13:43:13
Message-ID: 51A0BFF1.8070309 () plouf ! fr ! eu ! org
[Download RAW message or body]

Hello,

Christian Hesse a écrit :
> 
> I have problems with my IPv6 firewall concerning connection tracking and
> mDNS. This is part of the rules:
> 
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -m conntrack --ctstate INVALID -j DROP
> -A INPUT -s fe80::/64 -d ff02::fb -p udp -j LOG --log-prefix "DEBUG1: "
> -A INPUT -s fe80::/64 -d ff02::fb -p udp --dport 5353 -j ACCEPT
> [...]
> -A INPUT -j LOG --log-prefix "DEBUG2: "
> -A INPUT -j REJECT
> 
> So why is the connection not tracked? I would expect the fragment to belong
> to an established connection and accepted.

mDNS uses multicast, and AFAIK netfilter connection tracking does not
(yet ?) handle multicast because the source/destination addresses in the
reply packet do not match those in the request packet, so it does not
qualify as a "connection" by the conntrack standards.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]