touch-packages team mailing list archive

Thread
Date

[Bug 1509725] [NEW] Some ICMPv6 packets rejected due to rule ordering

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Saikrishna Arcot <saiarcot895@xxxxxxxxx>
Date: Sat, 24 Oct 2015 22:15:32 -0000
Reply-to: Bug 1509725 <1509725@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In the default before6.rules file, the following lines:

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP

are present before the ICMPv6 rules. The problem is that this also
captures echo replies (but, somehow, allows echo requests) and some IPv6
routing announcements. If I try to ping ff02::1 to ping all devices on
the local network, I only get a response from my own device.

Moving those three lines towards the end of the file (after all ICMP
rules and before the COMMIT) fixes the issue.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: ufw 0.34-2
Uname: Linux 4.3.0-rc5arcot x86_64
ApportVersion: 2.19.1-0ubuntu3
Architecture: amd64
CurrentDesktop: KDE
Date: Sat Oct 24 18:07:40 2015
InstallationDate: Installed on 2012-10-19 (1099 days ago)
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: Upgraded to wily on 2015-02-28 (238 days ago)
mtime.conffile..etc.ufw.sysctl.conf: 2015-08-08T23:49:55.322401

** Affects: ufw (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug wily

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1509725

Title:
  Some ICMPv6 packets rejected due to rule ordering

Status in ufw package in Ubuntu:
  New

Bug description:
  In the default before6.rules file, the following lines:

  # drop INVALID packets (logs these in loglevel medium and higher)
  -A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
  -A ufw6-before-input -m conntrack --ctstate INVALID -j DROP

  are present before the ICMPv6 rules. The problem is that this also
  captures echo replies (but, somehow, allows echo requests) and some
  IPv6 routing announcements. If I try to ping ff02::1 to ping all
  devices on the local network, I only get a response from my own
  device.

  Moving those three lines towards the end of the file (after all ICMP
  rules and before the COMMIT) fixes the issue.

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: ufw 0.34-2
  Uname: Linux 4.3.0-rc5arcot x86_64
  ApportVersion: 2.19.1-0ubuntu3
  Architecture: amd64
  CurrentDesktop: KDE
  Date: Sat Oct 24 18:07:40 2015
  InstallationDate: Installed on 2012-10-19 (1099 days ago)
  InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
  PackageArchitecture: all
  SourcePackage: ufw
  UpgradeStatus: Upgraded to wily on 2015-02-28 (238 days ago)
  mtime.conffile..etc.ufw.sysctl.conf: 2015-08-08T23:49:55.322401

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1509725/+subscriptions