+++ This bug was initially created as a clone of Bug #656315 +++
Description of problem:
Problem 1: Default Firewall blocking DHCPv6
The default ip6tables configuration was written to replicate the behavior of the default iptables policy. This is a good thing. Unfortunately, the default ip6tables policy blocks DHCPv6 traffic, breaking DHCPv6 on the system. This is because conntrack has no way to track DHCPv6, which uses multicast, so DHCPv6 traffic is not caught by allowing ESTABLISHED,RELATED connections. The default firewall must be modified to allow DHCPv6 traffic by default. This means the addition of the following rule:
-A INPUT -p udp --dport 546 -j ACCEPT
This report also mentions this: #552099
The rule can be more strict:
-A INPUT -m state --state NEW -m udp -p udp --dport 546 --sport 547 -s fe80::/10 -d fe80::/10 -j ACCEPT
After several discussions with Thomas Graf and Thomas Woerner the final solution will now be mainly handled via a new kernel module that "does the right thing"(tm). So the only changes we need now at the moment is the kernel module and support in anaconda initially.
Moving this bug to 6.2 to cover how we handle this properly in s-c-f then (aka, lokkit support and new service).
Thanks & regards, Phil