Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#52093 - [iptables] ip6tables mask with recent module sets /16 mask regardless of defined one

Attached to Project: Arch Linux
Opened by Jysky (darthjysky) - Friday, 09 December 2016, 16:09 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 10 December 2019, 09:43 GMT
Task Type Bug Report
Category Packages: Core
Status Assigned
Assigned To Ronald van Haren (pressh)
Bartłomiej Piotrowski (Barthalion)
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:
ip6tables mask with recent module sets /16 mask regardless of defined one

Additional info:
* iptables 1.6.0-1

Steps to reproduce:

Set up ip6tables rules
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 7200 --hitcount 3 --rttl --name ssh --mask :: --rsource -j DROP
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name ssh --mask :: --rsource -j ACCEPT

or

ip6tables -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 7200 --hitcount 3 --rttl --name ssh --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name ssh --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j ACCEPT

or

ip6tables -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 7200 --hitcount 3 --rttl --name ssh --mask ffff:ffff:ffff:ffff:: --rsource -j DROP
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name ssh --mask ffff:ffff:ffff:ffff:: --rsource -j ACCEPT

connect to host and /proc/net/xt_recent/ssh will have line like:
src=2001:2003:0000:0000:0000:0000:0000:0000 ttl: 51 last_seen: 4295463426 oldest_pkt: 1 4295463426

I tried same ip6tables rules with opensuse leap 42.2 witch have iptables-1.4.21-5.4.x86_64 package installed and on that machine src on /proc/net/xt_recent/ssh has properly masked src.
This task depends upon

Loading...