Bug 144832
Summary: | IPv6 netfilter: bug in esp and icmp with option header match | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Peter Bieringer <pb> |
Component: | kernel | Assignee: | Dave Jones <davej> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | pfrields, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-10-03 23:04:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Peter Bieringer
2005-01-11 20:23:08 UTC
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which may contain a fix for your problem. Please update to this new kernel, and report whether or not it fixes your problem. If you have updated to Fedora Core 4 since this bug was opened, and the problem still occurs with the latest updates for that release, please change the version field of this bug to 'fc4'. Thank you. At least the problem with the option header still exist: Aug 13 16:34:59 host kernel: FW6-default-DROP-intOUT:IN= OUT=eth0 SRC=fe80:0000:0000:0000:0280:c8ff:feb9:cef9 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 Roule still does't match: Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmpv6 * * fe80::/10 ff02::16/128 ipv6-icmp type 143 HL match HL == 1 0 0 ACCEPT icmpv6 * * ::/128 ff02::16/128 ipv6-icmp type 143 HL match HL == 1 6 400 ACCEPT icmpv6 * * ::/0 ::/0 Kernel: 2.6.12-1.1398_FC4 Note that while kernel log do no longer show "OPT ( )", a Hop-By-Hop option is still in the packet: Frame 1 (110 bytes on wire, 110 bytes captured) Arrival Time: Aug 13, 2005 16:43:19.386977000 Time delta from previous packet: 0.000000000 seconds Time since reference or first frame: 0.000000000 seconds Frame Number: 1 Packet Length: 110 bytes Capture Length: 110 bytes Protocols in frame: eth:ipv6:icmpv6 Ethernet II, Src: D-Link_b9:ce:f9 (00:80:c8:b9:ce:f9), Dst: IPv6-Neighbor-Discovery_00:00:00:16 (33:33:00:00:00:16) Destination: IPv6-Neighbor-Discovery_00:00:00:16 (33:33:00:00:00:16) Source: D-Link_b9:ce:f9 (00:80:c8:b9:ce:f9) Type: IPv6 (0x86dd) Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 56 Next header: IPv6 hop-by-hop option (0x00) Hop limit: 1 Source address: fe80::280:c8ff:feb9:cef9 (fe80::280:c8ff:feb9:cef9) Destination address: ff02::16 (ff02::16) Hop-by-hop Option Header Next header: ICMPv6 (0x3a) Length: 0 (8 bytes) Router alert: MLD (4 bytes) PadN: 2 bytes Internet Control Message Protocol v6 Type: 143 (Multicast Listener Report Message v2) Code: 0 (Should always be zero) Checksum: 0xd3b5 [correct] Changed to exclude: ff05::1:3 (ff05::1:3) Mode: Changed to exclude Aux data len: 0 Multicast Address: ff05::1:3 Changed to exclude: ff02::1:2 (ff02::1:2) Mode: Changed to exclude Aux data len: 0 Multicast Address: ff02::1:2 Mass update to all FC4 bugs: An update has been released (2.6.13-1.1526_FC4) which rebases to a new upstream kernel (2.6.13.2). As there were ~3500 changes upstream between this and the previous kernel, it's possible your bug has been fixed already. Please retest with this update, and update this bug if necessary. Thanks. I can confirm that match works now (btw: packets are generated by dhcp6s): 2 192 ACCEPT icmpv6 * * fe80::/10 ff02::16/128 ipv6-icmp type 143 HL match HL == 1 |