Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp731081lqp; Thu, 21 Mar 2024 13:52:53 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUbkL5nBJHIbJxWc207z/O2HLJCgeCsG6eP5wTctEth8DPCUNpjT8GjSS7vXcuNwWEQupEYgxxdDsQghz5B+910uuhFvPe8/bEhyhF8XQ== X-Google-Smtp-Source: AGHT+IFSpXWX6tM42CQTfA5QA85W0unmubrCqH0lICwsEwadbVpV+P4qvp5cGrzHPhibsnZJKrJ9 X-Received: by 2002:a05:6102:513:b0:472:77b2:f99e with SMTP id l19-20020a056102051300b0047277b2f99emr760742vsa.8.1711054373333; Thu, 21 Mar 2024 13:52:53 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711054373; cv=pass; d=google.com; s=arc-20160816; b=gCO+il2xw/dkaGfwtkFIcXTGlJb7pMdHVVqAEucHgaQrg9mB9medyHQPqJAmcMyYCM Ufma9kWZwibSpdtSUEBoTCD2mtqGEUC7uAVCAY3Rp5VfNTqcTk+uwnQPza2ySiHSdYd/ 1nZeTa2H1PRRBl+7w7p7pShzh3vi8kvv1ne46V7tfoE2RREGjazlU5KG/8L4YCYIQcxs lpnxq3o0OvISzKFMKnwoty15XSBpz3jFH2nmRrMGEAGKsC60fSYS1tEEDwmZ9rSTGBcu UoGn8PqlyXTDzEYzOfc7vO1c4xzYTwf4VnerrtxLXLYAkoJgd6NOvgouzbTh5fMhNQTR 0p5w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date; bh=TOXnvA2aJki3eUYyuZaNjfkvU258RiFebEuFnR0jhs4=; fh=ZYdfa037K2YcAZiqf1Oe9ELTZGiUvpnKaZ3rACJJPxM=; b=kYXWLlIvnHTjUHSsWk5AE0G4lL9O5K79K1nL+0GfitL/RaWdjSyPsNdQWud0SDITkx skZU2F09K6VmX/uHjapy/LF6qyf4f2xgJVrsD63M7MWkyw+sEYmlTO1jT82qjtWADi+v 4G5Kvi4kbplw7U+1y4nmNE5+LQwetCdCML6VoJP8Ne4S11JDDfLBanFN9YLEuHyDqH9i lRfHvD23px7+jhTs3CWavCZB5mAiLPlYaHUz2mNceopjc1fnkxFCjuyghwyMUWUBdO5K mzfQp/DkWJr1H42QorRLJ6q0yiKTN937s6EEW5nk204qwC4SdkfHb2ueGfLr/Y6vmoKm gxfw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=netfilter.org); spf=pass (google.com: domain of linux-kernel+bounces-110670-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-110670-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id 9-20020a0562140dc900b0068fd7a853b3si665320qvt.501.2024.03.21.13.52.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Mar 2024 13:52:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-110670-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=netfilter.org); spf=pass (google.com: domain of linux-kernel+bounces-110670-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-110670-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 086311C21C67 for ; Thu, 21 Mar 2024 20:52:53 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6F8B8135A4A; Thu, 21 Mar 2024 20:52:42 +0000 (UTC) Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 710BE134420; Thu, 21 Mar 2024 20:52:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711054361; cv=none; b=dQYumnxS9263jc0N3cyn3UZc9UMQalUJotQ2nccMixqP7PZzTDjGt5ggPCjAbxAXChYfwg2N9TEA5gaE6UtrmgqcBNR3VLB/FgSJeabFuyW25DXWMXkcGTEDuZBWApfVwt5N/aaVHF1Gbvg5Y+36ES6Q4o5DWswoABC8Q9rhWpg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711054361; c=relaxed/simple; bh=9zlC3L4tt8Mzkzt3jkTnHSaQIRdB72fowZOWPPC5Zko=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Yfu4ALOekNJrxhTu/C156bMlqNqD90qTGYqQ7DhJpPIrhDr0AQguFAdmKDdg7tYQMpqKOoPBIwFy70qAoJhD7knSdLkhuDDvG/F0vMHGTVl5l5wVuHuvvx+IyR2VxFK1Fe58rBTlchB/artoGfzUSpVp5hio6kqNhOjQKi3MfDs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Date: Thu, 21 Mar 2024 21:52:27 +0100 From: Pablo Neira Ayuso To: Linus =?utf-8?Q?L=C3=BCssing?= Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jozsef Kadlecsik , Florian Westphal , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Dietmar Maurer , Thomas Lamprecht , Wolfgang Bumiller , Alexandre Derumier Subject: Re: [PATCH net] netfilter: conntrack: fix ct-state for ICMPv6 Multicast Router Discovery Message-ID: References: <20240306141805.17679-1-linus.luessing@c0d3.blue> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20240306141805.17679-1-linus.luessing@c0d3.blue> On Wed, Mar 06, 2024 at 03:18:04PM +0100, Linus Lüssing wrote: > So far Multicast Router Advertisements and Multicast Router > Solicitations from the Multicast Router Discovery protocol (RFC4286) > would be marked as INVALID for IPv6, even if they are in fact intact > and adhering to RFC4286. There is also RFC4890 which specifies that also acts as multicast routers need to process these message on their interfaces. > This broke MRA reception and by that multicast reception on > IPv6 multicast routers in a Proxmox managed setup, where Proxmox > would install a rule like "-m conntrack --ctstate INVALID -j DROP" > at the top of the FORWARD chain with br-nf-call-ip6tables enabled > by default. > > Similar to as it's done for MLDv1, MLDv2 and IPv6 Neighbor Discovery > already, fix this issue by excluding MRD from connection tracking > handling as MRD always uses predefined multicast destinations > for its messages, too. This changes the ct-state for ICMPv6 MRD messages > from INVALID to UNTRACKED. An explicit rule will be still needed to accept this traffic, assuming default policy to drop. I think that the issue is likely that this "drop invalid rules" is the at the very beginning of the ruleset. Anyway, turning this from invalid to untracked seems sensible to me. Users will still have to explicitly allow for this in their ruleset assuming default policy to drop. I am going to include your Fixes: tag and pass up this patch upstream. Thanks. > This issue was found and fixed with the help of the mrdisc tool > (https://github.com/troglobit/mrdisc). > > Signed-off-by: Linus Lüssing > --- > include/uapi/linux/icmpv6.h | 1 + > net/netfilter/nf_conntrack_proto_icmpv6.c | 4 +++- > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/include/uapi/linux/icmpv6.h b/include/uapi/linux/icmpv6.h > index ecaece3af38d..4eaab89e2856 100644 > --- a/include/uapi/linux/icmpv6.h > +++ b/include/uapi/linux/icmpv6.h > @@ -112,6 +112,7 @@ struct icmp6hdr { > #define ICMPV6_MOBILE_PREFIX_ADV 147 > > #define ICMPV6_MRDISC_ADV 151 > +#define ICMPV6_MRDISC_SOL 152 > > #define ICMPV6_MSG_MAX 255 > > diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c > index 1020d67600a9..327b8059025d 100644 > --- a/net/netfilter/nf_conntrack_proto_icmpv6.c > +++ b/net/netfilter/nf_conntrack_proto_icmpv6.c > @@ -62,7 +62,9 @@ static const u_int8_t noct_valid_new[] = { > [NDISC_ROUTER_ADVERTISEMENT - 130] = 1, > [NDISC_NEIGHBOUR_SOLICITATION - 130] = 1, > [NDISC_NEIGHBOUR_ADVERTISEMENT - 130] = 1, > - [ICMPV6_MLD2_REPORT - 130] = 1 > + [ICMPV6_MLD2_REPORT - 130] = 1, > + [ICMPV6_MRDISC_ADV - 130] = 1, > + [ICMPV6_MRDISC_SOL - 130] = 1 > }; > > bool nf_conntrack_invert_icmpv6_tuple(struct nf_conntrack_tuple *tuple, > -- > 2.43.0 >