Bug 1065565

Summary: Unable to permit OSPF for IPv6
Product: [Fedora] Fedora Reporter: Pete Zaitcev <zaitcev>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 20CC: jpopelka, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: noarch   
OS: Linux   
Whiteboard:
Fixed In Version: firewalld-0.3.13-1.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-06 06:13:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pete Zaitcev 2014-02-14 23:51:56 UTC 
Description of problem:

After adding a service file for OSPF, IP works, but IPv6 prints
error "ip6tables v1.4.19.1: unknown header `89' specified".

Version-Release number of selected component (if applicable):

firewalld-0.3.9.3-1.fc20.noarch

How reproducible:

synchronous

Steps to Reproduce:
1. create a service file, cat <<EOF >/etc/firewall/services/ospf.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>OSPF</short>
  <description>Link-state routing protocol</description>
  <port protocol="ospf" port=""/>
  <!-- <destination ipv6="::/0"/> -->
  <module name=""/>
</service>
EOF
This is a universal file that enables both OSPF and OSPF v6.

2. firewall-cmd --reload
3. firewall-cmd --add-service=ospf

Actual results:

[root@simbelmyne quagga]# firewall-cmd --add-service=ospf
Error: COMMAND_FAILED: '/sbin/ip6tables -A IN_public_allow -t filter -m ipv6header --header ospf -m conntrack --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `89' specified
Try `ip6tables -h' or 'ip6tables --help' for more information.

Expected results:

success

Additional info:

It's some kind of difference between v4 and v6, the v4 works fine.

A workaround currently used:

firewall-cmd --direct --add-rule ipv6 filter INPUT 1 -p ospf -j ACCEPT
Comment 1 Jiri Popelka 2014-12-03 18:00:53 UTC 
Thomas, let me know what do you think.

https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=5e0b34d6492109e5039cb367a97a1a4564a1c545
Comment 2 Pete Zaitcev 2014-12-04 03:03:55 UTC 
The proposed patch works for me. I applied it by hand to
firewalld-0.3.12-1.fc20.noarch and firewalld-0.3.12-1.fc21.noarch.
Comment 3 Fedora Update System 2014-12-04 18:45:00 UTC 
firewalld-0.3.13-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/firewalld-0.3.13-1.fc21
Comment 4 Fedora Update System 2014-12-04 18:45:34 UTC 
firewalld-0.3.13-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/firewalld-0.3.13-1.fc20
Comment 5 Fedora Update System 2014-12-05 00:48:06 UTC 
Package firewalld-0.3.13-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.13-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-16322/firewalld-0.3.13-1.fc21
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2015-01-06 06:13:00 UTC 
firewalld-0.3.13-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-01-06 06:15:46 UTC 
firewalld-0.3.13-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.