Need to discard IPv6 martian packets #107

ydahhrk opened this Issue Sep 8, 2014 · 2 comments


None yet

2 participants

ydahhrk commented Sep 8, 2014

For a long time, we've had a TODO we've been forgetting. That is because it's written away in the Basic Runs tutorial, not here.

Basically, the RFC wants us to always discard martian packets.

We currently avoid them by asking users to issue the following command: sysctl -w net.ipv4.conf.all.log_martians=1. From the name of that system control, one might conclude it only applies to IPv4 martian packets.

Not sure why I can't find an IPv6 equivalent. Perhaps they are always discarded, regardless of configuration. We need to make sure and update Jool or the documentation accordingly.

@dhfelix dhfelix was assigned by ydahhrk Sep 8, 2014
@ydahhrk ydahhrk added this to the 3.2.1 milestone Sep 8, 2014
ydahhrk commented Oct 8, 2014


Logging martians does not actually discard them; we were oddly misinformed.

In practice, getting rid of martian packets is a firewall concern, which pretty much renders this issue a duplicate of #41.

As such, no code was added, but we're removing the log_martians sysctl from the manual.

@ydahhrk ydahhrk added a commit that referenced this issue Oct 8, 2014
@ydahhrk ydahhrk Merging version 3.2.1 into master, hereby makingthe changes official.
Version 3.2.1 is 3.2.0 with issues #57, #106, #108 and #109 fixed.
Issue #107 has been marked as duplicate and postponed to 3.3.0.

rting with '#' will be ignored, and an empty message aborts
@ydahhrk ydahhrk closed this Oct 10, 2014
ydahhrk commented Dec 1, 2014

We forgot to remove log_martians from the INSTALL file. Reopening.

@ydahhrk ydahhrk reopened this Dec 1, 2014
@ydahhrk ydahhrk assigned ydahhrk and unassigned dhfelix Dec 1, 2014
@ydahhrk ydahhrk modified the milestone: 3.3.0, 3.2.1 Dec 1, 2014
@ydahhrk ydahhrk added a commit that referenced this issue Dec 11, 2014
@ydahhrk ydahhrk Moving Jool from Prerouting to Local In, Local Out and Forwarding.
This is necessary so NAT64 happens after iptables does filtering.
It's also needed so Jool catches local traffic, which is needed by local CLATs.
As an added bonus, it invalidates issue #90. Woot!

Progress so far, summary:
- Issue #33: Done.
- Issue #41: Done.
- Issue #107: Done.
- Issue #111: dhfelix is done, but haven't even started to review.
- Issue #116: EAM done, moved from prerouting done, dummy interface done. Missing (off the top of my head):
	- Adapting the global packet processing pipeline for stateless mode.
	- Configuration options.
	- Review RFC 6145 and updaters.
- Issue #120: Done.
- Issue #121: Not done.

Everything needs testing. There are known bugs with fragmentation.
@ydahhrk ydahhrk closed this Mar 9, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment