Bug#540483: openvz: IPv6 netfilter not correctly virtualized

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#540483: openvz: IPv6 netfilter not correctly virtualized
From: Marco d'Itri <md@linux.it>
Date: Sat, 8 Aug 2009 12:40:23 +0200
Message-id: <[🔎] 20090808104023.GA1955@bongo.bofh.it>
Reply-to: Marco d'Itri <md@linux.it>, 540483@bugs.debian.org

Package: linux-2.6
Version: 2.6.26-17lenny1
Severity: normal

This happens when I add -j LOG to the top of the INPUT and FORWARD
chains and ping the VE (2001:4b78:1:0200::1) from an external host:

Aug  8 12:28:06 web01 kernel: [70845.790963] IN=eth0 OUT=venet0 SRC=2001:1418:0001:0700:0000:0000:0000:000a DST=2001:4b78:0001:0200:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=11237 SEQ=1 

The same packet then *also* traverses the INPUT chain:

Aug  8 12:28:06 web01 kernel: [70845.790963] IN=venet0 OUT= MAC= SRC=2001:1418:0001:0700:0000:0000:0000:000a DST=2001:4b78:0001:0200:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=11237 SEQ=1 

Looks like the IPv6 packets entering the VE (where I have not configured
ip6tables) are incorrectly processed by the HN instead of the VE chains.

Linux web01 2.6.26-2-openvz-686 #1 SMP Sun Jul 26 23:35:12 UTC 2009 i686 GNU/Linux

-- 
ciao,
Marco

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: RE: 2.6.30-5~bpo50+1 and missing firmware
Next by Date: Bug#540486: linux-image-powerpc: please enable CONFIG_EFI_PARTITION
Previous by thread: Processed: tagging 537771
Next by thread: Bug#540486: linux-image-powerpc: please enable CONFIG_EFI_PARTITION
Index(es):
- Date
- Thread