Bug 1591867

Summary: firewalld blocks neighbor discovery
Product: [Fedora] Fedora Reporter: Pete Zaitcev <zaitcev>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: egarver, jpopelka, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-15 21:51:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pete Zaitcev 2018-06-15 17:35:26 UTC 
Description of problem:

All ssh connections (using IPv6) cycle hanging for a short time, working
a few seconds, and hanging again. Stopping firewalld allows traffic.

The problem appeared as soon as the system was updated from Fedora 27.

Version-Release number of selected component (if applicable):

firewalld-0.5.2-2.fc28.noarch
kernel-4.16.14-300.fc28.x86_64

How reproducible:

Unknown. On the affected site, it's 100%.

Steps to Reproduce:
1. ping6 router
2. observe periodic packet loss

Actual results:

Hanging ssh connections

Expected results:

No hang, like in Fedora 27

Additional info:

It appears that although ssh and ping are not blocked, firewalld blocks
neighbor discovery. Therefore, traffic works from the moment of router
advertisement until caches expire; the discovery is blocked and cannot
do anything. When router advertises, traffic resumes.

The moment of the hang looks like this:

10:59:38.829632 IP6 fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3 > fd2d:acfb:74cc:1::1: ICMP6, echo request, seq 924, length 64
10:59:38.836570 IP6 fd2d:acfb:74cc:1::1 > fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3: ICMP6, echo reply, seq 924, length 64
10:59:39.236505 IP6 fe80::2 > ff02::1: ICMP6, router advertisement, length 112
10:59:39.251581 IP6 fe80::5ee0:c5ff:fe8c:47b3 > fd2d:acfb:74cc:5::2: ICMP6, neighbor solicitation, who has fd2d:acfb:74cc:5::2, length 32
10:59:39.257007 IP6 fd2d:acfb:74cc:5::2 > fe80::5ee0:c5ff:fe8c:47b3: ICMP6, neighbor advertisement, tgt is fd2d:acfb:74cc:5::2, length 24
10:59:39.656628 ARP, Request who-has 192.168.132.4 tell 192.168.132.2, length 46
10:59:39.656702 ARP, Reply 192.168.132.4 is-at 5c:e0:c5:8c:47:b3, length 28
10:59:39.831034 IP6 fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3 > fd2d:acfb:74cc:1::1: ICMP6, echo request, seq 925, length 64
10:59:39.863297 IP6 fe80::2 > ff02::1:ff8c:47b3: ICMP6, neighbor solicitation, who has fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3, length 32
10:59:40.851749 IP6 fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3 > fd2d:acfb:74cc:1::1: ICMP6, echo request, seq 926, length 64
10:59:40.907774 IP6 fe80::2 > ff02::1:ff8c:47b3: ICMP6, neighbor solicitation, who has fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3, length 32
10:59:41.875789 IP6 fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3 > fd2d:acfb:74cc:1::1: ICMP6, echo request, seq 927, length 64

The states of neighbors in "ip neigh" cycle through DELAY and STALE too.

For completeness, here's the firewall-cmd output:

[root@lembas zaitcev]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp2s0
  sources: 
  services: mdns dhcpv6-client ssh
  ports: 6881/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@lembas zaitcev]#
Comment 1 Pete Zaitcev 2018-06-15 21:51:57 UTC 

*** This bug has been marked as a duplicate of bug 1575431 ***