Bug 1575431
Summary: | IPv6 Neighbor Solicitation fails. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Hugo Prins <jprins> |
Component: | firewalld | Assignee: | Eric Garver <egarver> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | alexl, anthony, bgalvani, dcbw, egarver, fgiudici, john.j5live, jpopelka, jprins, lkundrak, mail, mclasen, norbert.jurkeit, pbrobinson, rhughes, rstrode, sandmann, shigorin, twoerner, vstinner, yk+bug+rh, zaitcev |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | firewalld-0.5.3-2.fc28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-07-06 16:44:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Hugo Prins
2018-05-06 22:17:22 UTC
On my home network: 00:44:36.891136 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:44:37.881270 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:44:38.881509 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:44:40.952331 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:44:42.892108 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:44:44.958512 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:44:45.969903 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:44:46.993884 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:44:51.094309 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:44:52.114081 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:44:53.138773 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:45:09.829049 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:45:17.704142 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) capetown.lan.betterbe.com > _gateway: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has _gateway source link-address option (1), length 8 (1): 9c:b6:d0:df:62:8b 00:45:17.709403 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) _gateway > capetown.lan.betterbe.com: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is _gateway, Flags [router, solicited] 00:45:36.150979 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:45:37.177994 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e 00:45:38.207561 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) _gateway > ff02::1:ffdf:628b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has capetown.lan.betterbe.com source link-address option (1), length 8 (1): 34:31:c4:8a:cf:0e [root@capetown ~]# ip -6 addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000 inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 2001:980:ad8f:1:9eb6:d0ff:fedf:628b/64 scope global dynamic noprefixroute valid_lft 6494sec preferred_lft 3144sec inet6 fe80::9eb6:d0ff:fedf:628b/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: vmnet2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000 inet6 fe80::250:56ff:fec0:2/64 scope link valid_lft forever preferred_lft forever 4: vmnet3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000 inet6 fe80::250:56ff:fec0:3/64 scope link valid_lft forever preferred_lft forever 5: vmnet4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000 inet6 fe80::250:56ff:fec0:4/64 scope link valid_lft forever preferred_lft forever 6: vmnet5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000 inet6 fe80::250:56ff:fec0:5/64 scope link valid_lft forever preferred_lft forever 7: vmnet6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000 inet6 fe80::250:56ff:fec0:6/64 scope link valid_lft forever preferred_lft forever 8: vmnet7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000 inet6 fe80::250:56ff:fec0:7/64 scope link valid_lft forever preferred_lft forever 9: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000 inet6 fe80::250:56ff:fec0:8/64 scope link valid_lft forever preferred_lft forever [root@capetown ~]# ip -6 ro 2001:980:ad8f:1::/64 dev wlp2s0 proto ra metric 600 pref medium 2001:980:ad8f::/48 via fe80::3631:c4ff:fe8a:cf0e dev wlp2s0 proto ra metric 600 pref medium fe80::/64 dev vmnet2 proto kernel metric 256 pref medium fe80::/64 dev vmnet3 proto kernel metric 256 pref medium fe80::/64 dev vmnet4 proto kernel metric 256 pref medium fe80::/64 dev vmnet5 proto kernel metric 256 pref medium fe80::/64 dev vmnet6 proto kernel metric 256 pref medium fe80::/64 dev vmnet7 proto kernel metric 256 pref medium fe80::/64 dev vmnet8 proto kernel metric 256 pref medium fe80::/64 dev wlp2s0 proto kernel metric 256 pref medium fe80::/64 dev wlp2s0 proto kernel metric 600 pref medium default via fe80::3631:c4ff:fe8a:cf0e dev wlp2s0 proto ra metric 20600 pref medium [root@capetown ~]# During tests I flushed all firewall rules to make sure the firewall was not interfering with the bug hunting. [root@capetown ~]# ip6tables --list -v -n Chain INPUT (policy ACCEPT 15488 packets, 4734K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 22638 packets, 2097K bytes) pkts bytes target prot opt in out source destination It looks like the issue is only happening on my wireless interface as far as I can see now. In the office I have a fixed connection (Cat5e, 802.1x) and this connection doesn't give me any issues so far. Yesterday evening I received a lot of updates. In this updates I had: NetworkManager.x86_64 1:1.10.6-3.fc28 NetworkManager-adsl.x86_64 1:1.10.6-3.fc28 NetworkManager-bluetooth.x86_64 1:1.10.6-3.fc28 NetworkManager-config-connectivity-fedora.noarch 1:1.10.6-3.fc28 NetworkManager-glib.x86_64 1:1.10.6-3.fc28 NetworkManager-libnm.x86_64 1:1.10.6-3.fc28 NetworkManager-ppp.x86_64 1:1.10.6-3.fc28 NetworkManager-team.x86_64 1:1.10.6-3.fc28 NetworkManager-wifi.x86_64 1:1.10.6-3.fc28 NetworkManager-wwan.x86_64 1:1.10.6-3.fc28 kernel.x86_64 4.16.7-300.fc28 kernel-core.x86_64 4.16.7-300.fc28 kernel-devel.x86_64 4.16.7-300.fc28 kernel-modules.x86_64 4.16.7-300.fc28 kernel-modules-extra.x86_64 4.16.7-300.fc28 It looks like this update set fixed the problem for my Wifi connections, for my OpenVPN connections I still have the same problem. >
> It looks like this update set fixed the problem for my Wifi connections, for
> my OpenVPN connections I still have the same problem.
Scrap this. The updates didn't fix the issue.
I started having the same neighbouring issues after an kernel update to 4.16 on a CentOS Docker host. Downgrading to 4.15.3-1.el7.elrepo.x86_64 fixed the issue. Seems like we are not the only ones: https://serverfault.com/questions/902161/linux-host-randomly-stops-answering-ipv6-neighbor-solicitation-requests My money is on the kernel. So I can confirm that it's the IPv6 rp_filter from firewalld that is blocking the answers to the IPv6 neighbour solicitations; setting IPv6_rpfilter=no in /etc/firewalld/firewalld.conf on latest kernel (4.16.9-1.el7.elrepo.x86_64) solves the issue. I just tested this on my OpenVPN and my wireless connections and it indeed seems to fix the issue. Makes me wonder what is going wrong here. rpfilter should not filter these packets. I'm reassigning this bug to firewalld for investigation. In the meantime, can you please enable again IPv6 rp_filter, reproduce the problem and paste the output of: ip6tables -v -t raw -L ? [root@capetown firewalld]# ip6tables --list -v -t raw Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp router-advertisement 0 0 DROP all any any anywhere anywhere rpfilter invert 0 0 PREROUTING_direct all any any anywhere anywhere 0 0 PREROUTING_ZONES_SOURCE all any any anywhere anywhere 0 0 PREROUTING_ZONES all any any anywhere anywhere Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 OUTPUT_direct all any any anywhere anywhere Chain OUTPUT_direct (1 references) pkts bytes target prot opt in out source destination Chain PREROUTING_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 PRE_FedoraWorkstation all wlp2s0 any anywhere anywhere [goto] 0 0 PRE_FedoraWorkstation all + any anywhere anywhere [goto] Chain PREROUTING_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination Chain PREROUTING_direct (1 references) pkts bytes target prot opt in out source destination Chain PRE_FedoraWorkstation (2 references) pkts bytes target prot opt in out source destination 0 0 PRE_FedoraWorkstation_log all any any anywhere anywhere 0 0 PRE_FedoraWorkstation_deny all any any anywhere anywhere 0 0 PRE_FedoraWorkstation_allow all any any anywhere anywhere Chain PRE_FedoraWorkstation_allow (1 references) pkts bytes target prot opt in out source destination Chain PRE_FedoraWorkstation_deny (1 references) pkts bytes target prot opt in out source destination Chain PRE_FedoraWorkstation_log (1 references) pkts bytes target prot opt in out source destination There is an RFC that specifies what ICMPv6 you should allow in your firewalls to have IPv6 work correctly. https://tools.ietf.org/html/rfc4890 Based on this RFC I always put the following lines in my firewall scripts on my servers etc: ip6tables -N ICMPv6 ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 133/0 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 137/0 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 141/0 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 142/0 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -j ACCEPT ip6tables -A ICMPv6 -p ipv6-icmp -m icmp6 --icmpv6-type 4/2 -j ACCEPT I notice in the firewall rules that there is a general allow all rule for ICMPv6 and in the beginning of the raw tables something to drop very specific things. Maybe it is a good idea to redesign this a little. I had IPv6 issues with my Livebox (DSL box, my router) on my Fedora 28 laptop which uses wifi. I enabled logs in firewall-config: rp_filter dropped ICMPv6 type 135. ip -6 neigh shows me STALE on livebox public IPv6. Setting IPv6_rpfilter=no in /etc/firewalld/firewalld.conf fixed my issue! I'm using uncommon network interfaces: tun0 for corporate VPN, docker0 for Docker, and another one for virtual machines. Maybe the kernel rp_filter is confused by them? Or the issue comes from DST=ff02::1 of dropped ICMPv6 type 135 (Neighbor Solicitation)? My laptop worked well on Fedora 27. When I used a ping to my Livebox using the local link IPv6 (fe80), the Livebox replied and it didn't change anything. But when I used a ping to my Livebox using its public IPv6 (2a01:...), it unblocked all applications which were stuck on establishing IPv6 connections. It seems like the firewall denies input (neighbor solicitation) packets, but allows outcoming ICMPv6 pings and the ping repairs/wakes up the link. Example of a log of a blocked incoming packet: kernel: rpfilter_DROP: IN=wlp4s0 OUT= MAC=33:33:00:00:00:01:b0:b2:8f:9b:a9:f0:86:dd SRC=fe80:0000:0000:0000:b2b2:8fff:fe9b:a9f0 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=192 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0 Log comes "journalctl -k -f", I enabled log on DROP in firewall-config. I don't understand why incoming IPv6 packages are filtered: $ sudo ip6tables -v -t raw -L Chain PREROUTING (policy ACCEPT 52 packets, 18211 bytes) pkts bytes target prot opt in out source destination 3 432 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp router-advertisement 13 1000 LOG all any any anywhere anywhere rpfilter invert LOG level warning prefix "rpfilter_DROP: " 13 1000 DROP all any any anywhere anywhere rpfilter invert 52 18211 PREROUTING_direct all any any anywhere anywhere 52 18211 PREROUTING_ZONES_SOURCE all any any anywhere anywhere 52 18211 PREROUTING_ZONES all any any anywhere anywhere (...) 13 packets have been dropped, example of logs: rpfilter_DROP: IN=wlp4s0 OUT= MAC=33:33:00:00:00:01:b0:b2:8f:9b:a9:f0:86:dd SRC=fe80:0000:0000:0000:b2b2:8fff:fe9b:a9f0 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=192 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0 The first rule explicitely allows incoming "ipv6-icmp router-advertisement" from anywhere, but my issue comes from ICMPv6 type 135. The workaround for me is to allow explicitly incoming ICMPv6 type 135 in the PREROUTING chain of the raw table: $ sudo ip6tables -t raw -I PREROUTING 2 -p icmpv6 --icmpv6-type=135 -j ACCEPT I forgot to mention that I also have a docker0 interface for Docker, and a tunnel interface for OpenVPN (in container). Pinging the host's public IP also wakes the link up for 36 seconds before it goes mute again. (In reply to Victor Stinner from comment #12) > Setting IPv6_rpfilter=no in > /etc/firewalld/firewalld.conf fixed my issue! I think we might want to change the component for this bug from firewalld to kernel. The erroneous check is implemented in the kernel, right? The firewalld just enables or disables the feature. The bug is not in firewalld, then. Commit cede24d1b21d68d84ac5a36c44f7d37daadcc258 may be the fix (judging by the changelog -- I don't understand how it works). *** Bug 1591867 has been marked as a duplicate of this bug. *** "I think we might want to change the component for this bug from firewalld to kernel. The erroneous check is implemented in the kernel, right?" The bug comes from the PREROUTING table which should allow ICMPv6 type 135: see my comment 14. I can fix the issue by adding a new ACCEPT rule using ip6tables, without touching to the kernel. I think the best solution is to follow the RFC which explains exactly what ICMPv6 messages should be allowed. I think the best solution is to follow the RFC which explains exactly what ICMPv6 messages should be allowed. (In reply to Pete Zaitcev from comment #16) > (In reply to Victor Stinner from comment #12) > > Setting IPv6_rpfilter=no in > > /etc/firewalld/firewalld.conf fixed my issue! > > I think we might want to change the component for this bug from firewalld > to kernel. The erroneous check is implemented in the kernel, right? > The firewalld just enables or disables the feature. The bug is not > in firewalld, then. > > Commit cede24d1b21d68d84ac5a36c44f7d37daadcc258 may be the fix > (judging by the changelog -- I don't understand how it works). Thanks for the pointer - that seems likely. I'll try to verify. 47b7e7f82802 is in 4.16, but the fix (cede24d1b21d) is sitting in net-next. I'm not sure why it went to net-next instead of net for fixes. I didn't check the source, but the kernel-4.17.2-200.fc28.x86_64 solves the issue for me. > I didn't check the source, but the kernel-4.17.2-200.fc28.x86_64 solves the issue for me.
On Fedora 28 with 4.17.2-200.fc28.x86_64, I still have the bug.
I also ran recently into IPv6 issues. Suddenly IPv6 is not reachable anymore without any changes done. When I stop firewalld it works. A very simple test is pinging www.google.de. I noticed that when I start firewalld the ping works and then suddenly blocks. I did a whireshark trace and found that the ping is still sent out but does not receive any replies. [fansari@bat trace]$ ping www.google.de PING www.google.de(ams17s01-in-x03.1e100.net (2a00:1450:400e:80b::2003)) 56 data bytes 64 bytes from ams17s01-in-x03.1e100.net (2a00:1450:400e:80b::2003): icmp_seq=1 ttl=56 time=27.1 ms 64 bytes from ams17s01-in-x03.1e100.net (2a00:1450:400e:80b::2003): icmp_seq=2 ttl=56 time=22.4 ms 64 bytes from ams17s01-in-x03.1e100.net (2a00:1450:400e:80b::2003): icmp_seq=3 ttl=56 time=22.3 ms 64 bytes from ams17s01-in-x03.1e100.net (2a00:1450:400e:80b::2003): icmp_seq=4 ttl=56 time=23.1 ms 64 bytes from ams17s01-in-x03.1e100.net (2a00:1450:400e:80b::2003): icmp_seq=5 ttl=56 time=22.5 ms 64 bytes from ams17s01-in-x03.1e100.net (2a00:1450:400e:80b::2003): icmp_seq=6 ttl=56 time=22.6 ms 64 bytes from ams17s01-in-x03.1e100.net (2a00:1450:400e:80b::2003): icmp_seq=7 ttl=56 time=23.4 ms 64 bytes from ams17s01-in-x03.1e100.net (2a00:1450:400e:80b::2003): icmp_seq=8 ttl=56 time=22.4 ms ^C --- www.google.de ping statistics --- 11 packets transmitted, 8 received, 27% packet loss, time 10065ms rtt min/avg/max/mdev = 22.385/23.266/27.119/1.495 ms Since icmpv6 is not blocked anywhere in my firewall settings this was a complete riddle to me. Today I found that when I disable IVP6_rpfilter IPv6_rpfilter=no the ping is running even if firewalld is started. This is strange. As far as I understood the documentation this setting is for preventing packages to flow into a wrong direction. But in this simple case packages go out to the default gw and replies arrive there. I can also confirm that this only happens when using Wifi. Using Ethernet I could not reproduce this issue. (In reply to Eric Garver from comment #21) > (In reply to Pete Zaitcev from comment #16) > > (In reply to Victor Stinner from comment #12) > > > Setting IPv6_rpfilter=no in > > > /etc/firewalld/firewalld.conf fixed my issue! > > > > I think we might want to change the component for this bug from firewalld > > to kernel. The erroneous check is implemented in the kernel, right? > > The firewalld just enables or disables the feature. The bug is not > > in firewalld, then. > > > > Commit cede24d1b21d68d84ac5a36c44f7d37daadcc258 may be the fix > > (judging by the changelog -- I don't understand how it works). > > Thanks for the pointer - that seems likely. I'll try to verify. > > 47b7e7f82802 is in 4.16, but the fix (cede24d1b21d) is sitting in net-next. > I'm not sure why it went to net-next instead of net for fixes. I have verified 47b7e7f82802 as the cause and cede24d1b21d the fix. It fails on kernel 4.16.16-300.fc28, but works as expected on 4.18.0-rc2+. So it's broken on 4.16.x and 4.17.x kernels. firewalld can probably workaround these broken kernels versions by explicitly allowing Neighbour Solicitation as it does for Router Solicitation. I'll leave this BZ open for that effort. Thanks for all the information everyone. Would it be possible to backport the fix to 4.17? Or is Fedora 28 going to upgraded to 4.18 once 4.18 will be released? In the meanwhile, this bug is a major pain: Firefox blocks randomly, and I have to run mtr or ping explicitly the public IPv6 of my router to unblock Firefox. Or I should add an ip6table rule, like: sudo ip6tables -t raw -I PREROUTING 2 -p icmpv6 --icmpv6-type=135 -j ACCEPT (In reply to Victor Stinner from comment #27) > Would it be possible to backport the fix to 4.17? Or is Fedora 28 going to > upgraded to 4.18 once 4.18 will be released? In the meanwhile, this bug is a Yes F-28 will get 4.18 but it's a good 6 weeks out. Can you try this scratch build (note it won't be signed if you have secure boot it won't work): https://koji.fedoraproject.org/koji/taskinfo?taskID=27997924 I just pushed a workaround upstream. 3d6a50635663 ("IPv6 rpfilter: explicitly allow neighbor solicitation") firewalld-0.5.3-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ca9b42c690 firewalld-0.5.3-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ca9b42c690 firewalld-0.5.3-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 1574297 has been marked as a duplicate of this bug. *** |