ip6tables with raw table(no conntrack) drop fragmented packet

/dev/rob0 rob0 at gmx.co.uk
Sat Oct 1 18:21:28 UTC 2016

On Fri, Sep 30, 2016 at 11:55:18PM -0400, Larry Larson wrote:
> I've followed instructions in this BIND Knowledge base article and 
> installed ip6tables on my DNS server, using raw table with no 
> conntrack for DNS: 
> https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html

This is mostly for authoritative servers which must be open to 
queries from anywhere.  Perhaps this is not a real issue, as it 
sounds like you might be setting up a recursive server?  Of course, 
it CAN be a problem for recursive-only servers too; it just depends 
how many users and concurrent queries you need to support.  If your 
userbase can flood your conntrack table, you need this.

> But for IPv6 it drops fragmented packets, for example this query 
> fails once the ip6table is on:
> dig +dnssec  isc.org any  @2001:500:60::30

Can you show us how you found out that it was affecting fragments?
Is this query falling back to TCP?  Do you have a pcap?

> Everything works great for IPv4 with similar rules, can someone 
> help shed some light on what might be wrong:
> # Firewall configuration written by system-config-firewall

A minor issue, the NOTRACK target is deprecated by CT with the 
--notrack option. (That's not the problem, however.)

We can test things with a few TRACE rules.  Let's add rules as 

> *raw
-A PREROUTING -s 2001:500:60::30 -j TRACE
-A PREROUTING -d 2001:500:60::30 -j TRACE
> -A PREROUTING -p udp -m udp --dport 53 -j NOTRACK
> -A PREROUTING -p udp -m udp --sport 53 -j NOTRACK
-A OUTPUT -s 2001:500:60::30 -j TRACE
-A OUTPUT -d 2001:500:60::30 -j TRACE
> -A OUTPUT -p udp -m udp --dport 53 -j NOTRACK
> -A OUTPUT -p udp -m udp --sport 53 -j NOTRACK
> *filter
> -A INPUT -p ipv6-icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> #tcp dns
> -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 53 -j ACCEPT
> -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --sport 53 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
> -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited

For TRACE rules to work the LOG module must be loaded.  A quick, 
temporary way to do that:
   # ip6tables -A INPUT -i bogus -j LOG
   # ip6tables -D INPUT -i bogus -j LOG
(That adds and then removes a no-op rule using the LOG target.)

Then repeat your test,
> dig +dnssec  isc.org any  @2001:500:60::30
on this machine.

Then show us "ip6tables-save -c" along with all the "TRACE" lines 
from dmesg.  A quick way which should work for that:
   # dmesg | grep TRACE

After the test, you might want to disable those TRACE rules, in case 
you had other business with 2001:500:60::30 -- they can get very 
noisy, very quickly.

Coincidentally, I happen to be working on this very issue, with a 
different approach: shortened TTL for conntrack entries for UDP DNS.
It came up on the Netfilter mailing list recently.  I'll be sure to 
post here when that (a documentation patch) is completed.
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the bind-users mailing list