Bug 1164605

Summary: Unable to create service that matches OSPF packets
Product: Red Hat Enterprise Linux 7 Reporter: Kyle Brantley <kyle>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: jpopelka, jscotka, pvrabec, todoleza
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: noarch   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The ipv6header match was used to specify protocol matches for IPv6. Consequence: It was not possible to use for example the ospf protocol because of this. Fix: A simple protocol match is used instead of ipv6header. Result: All supported protocols of the system (see /etc/protcols) can be used now for protocol matches in services and also in rich rules
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:59:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kyle Brantley 2014-11-17 00:57:35 UTC 
Description of problem:
Creating a new service that matches OSPF packets calls ip6tables in a way that results in an error, resulting in no matching rules being inserted into the system.

Version-Release number of selected component (if applicable):
# rpm -qa | egrep 'firewalld|iptables|kernel-3'
kernel-3.10.0-123.9.3.el7.x86_64
iptables-1.4.21-13.el7.x86_64
firewalld-0.3.9-7.el7.noarch


How reproducible:
Always.

Steps to Reproduce:
1. Create a new service for OSPF by defining /etc/firewalld/services/ospf.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>OSPF</short>
  <description>OSPF is a link state based routing protocol.</description>
  <port protocol="ospf" port=""/>
</service>


2. firewall-cmd --reload
3. firewall-cmd --add-service=ospf


Actual results:
# firewall-cmd --add-service=ospf
Error: COMMAND_FAILED: '/sbin/ip6tables -A IN_public_allow -t filter -m ipv6header --header ospf -m conntrack --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.21: unknown header `89' specified
Try `ip6tables -h' or 'ip6tables --help' for more information.


Expected results:
Rules insert into iptables/ip6tables (as appropriate) that match OSPF packets.

Additional info:

Also reported as an issue under F20 as bug 1065565.
Comment 2 Jiri Popelka 2014-11-18 09:17:42 UTC 
Workaround:

firewall-cmd --add-rich-rule='rule protocol value="ospf" accept'
Comment 3 Jiri Popelka 2014-12-04 14:27:23 UTC 
Upstream commit, works on RHEL7 too (verified):
https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=5e0b34d6492109e5039cb367a97a1a4564a1c545
Comment 7 errata-xmlrpc 2015-11-19 12:59:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2422.html