Bug #338
connmark and ipv6 iptables are a bad combination
| Status: | New | Start date: | 02/11/2012 | |
|---|---|---|---|---|
| Priority: | Urgent | Due date: | ||
| Assignee: |  Dave Täht |
% Done: | 0% |
|
| Category: | Linux Kernel | Spent time: | 12.00 hours | |
| Target version: | Cerowrt-Next | Estimated time: | 30.00 hours |
Description
I have been battling various ipv6 related bugs for a while. For example, I tried
to make openwrt's shaper do ipv6 and stuff like this will hang the interface
on x86 AND cerowrt.
# This is my bad boy
ip6tables -t mangle -A qos_Default -p tcp -m length --length :128 -m mark ! --mark 4/0xff -m tcp --tcp-flags ALL SYN -j MARK --set-mark 1/0xff
ip6tables -t mangle -A qos_Default -p tcp -m length --length :128 -m mark ! --mark 4/0xff -m tcp --tcp-flags ALL ACK -j MARK --set-mark 1/0xff
History
Updated by Dave Täht over 1 year ago
- File simple_bug added
- Category set to Linux Kernel
- Assignee set to Dave Täht
- Priority changed from Normal to Urgent
- Target version set to 13
- Estimated time set to 30.00
It may not be limited to the negate mark option, either.
I suspect there are more ipv6 related bugs than this lurking in ip6tables
Updated by Dave Täht over 1 year ago
and, after duplicating this on 3 machines, rebooted them all...
and with the simplified script, they no longer go boom. Have to recreate the complex scenario now.
Updated by Dave Täht over 1 year ago
and then, I managed to get it to happen again. But it's subtle.
I don't know what to point at anymore. ifb? ip6tables? conntrack?
Updated by Dave Täht about 1 year ago
- Target version changed from 13 to Cerowrt-Next