Bug 190439
Summary: | IPv6 netfilter: bug in esp and icmp with option header match | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Peter Bieringer <pb> |
Component: | kernel | Assignee: | Thomas Graf <tgraf> |
Status: | CLOSED CANTFIX | QA Contact: | Brian Brock <bbrock> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | davem, jbaron, rkhan, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-05-10 12:48:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 176344 |
Description
Peter Bieringer
2006-05-02 12:18:20 UTC
Can it be that the same bug prevents me from using RHEL4's IPsec configuration? After successful using IPsec host-to-host with IPv4, I play now with IPv6, but strange things are happen here. Config on both hosts (only src/dst exchanged): ifcfg-ipsec0 SRC=2001:db8:1234:1::54:1 DST=2001:db8:1234:1::164:1 TYPE=IPSEC IKE_METHOD=PSK IKE_PSK=secret ESP_PROTO=aes128 IPv6 firewalling is active on both hosts, too. While IKE (phase 1) and IPsec (phase 2) are proper established, a ping6 or a ssh connect results in: Dst host: Aug 10 17:10:59 host INPUT-FW6/cleanup:IN=eth0 OUT= MAC=00:40:63:**:**:**:00:e0:1e:56:91:**:**:** SRC=2001:0db8:1234:0001:0000:0000:0164:0001 DST=2001:0db8:1234:0001:0000:0000:0054:0001 LEN=140 TC=0 HOPLIMIT=60 FLOWLBL=0 OPT ( ) OPT ( ) PROTO=59 It only let the traffic pass, if I append following rule: ip6tables -I INPUT -s 2001:db8:1234::/48 -d 2001:db8:1234::/48 -j ACCEPT If I replace it by e.g. ip6tables -I INPUT -s 2001:db8:1234::/48 -d 2001:db8:1234::/48 -j ACCEPT -p tcp traffic is blocked. Used: kernel-2.6.9-34.0.2.EL Could one please check if the upper shown minor patch is included in latest RHEL4 U4 candidate kernel, and if not, please include it. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. This request was previously evaluated by Red Hat Product Management for inclusion in the current Red Hat Enterprise Linux release, but Red Hat was unable to resolve it in time. This request will be reviewed for a future Red Hat Enterprise Linux release. RHEL4 has entered the Extended Life Phase. There will be no more minor releases. I'm closing this bug due to inactivity. Please reopen and provide an explanation if you need this issue to be addressed in RHEL4. Please note that only security and critical bugfixes are considered at this point. |