Bug 190590

Is there any error or warning message when you apply the filter rules?

Is the output of ip6tables-save the same as the the input, you gave to
ip6tables-restore?

No, there are no warnings:

# service ip6tables start
Applying ip6tables firewall rules:                         [  OK  ]

In the syslog there is only:

kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team

There are some slight formatting differences with ip6tables-save compared to my
example, but this does not seem to matter, this version too has the same problem.

Ok, then this is a kernel netfilter problem and not a iptables userland problem.

Assigning to kernel.

I disagree with comment #3.  I believe this is a userland problem.  I just ran
across this issue and the problem isn't that netfilter doesn't do stateful
filtering (I wish it did, but it doesn't); the problem is that
system-config-securitylevel (or whatever generates ip6tables rules in Fedora)
writes ip6tables rules that *assume* netfilter has functionality it doesn't have.

The bottom line is this: if a user activates ip6tables on a Fedora system, the
default rules generated by Fedora will prevent the proper functioning of IPv6
traffic to and from that system.  This is not netfilter's fault, it's the rule
generator's fault.

A new kernel update has been released (Version: 2.6.18-1.2200.fc5)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

In the last few updates, some users upgrading from FC4->FC5
have reported that installing a kernel update has left their
systems unbootable. If you have been affected by this problem
please check you only have one version of device-mapper & lvm2
installed.  See bug 207474 for further details.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

If this bug has been fixed, but you are now experiencing a different
problem, please file a separate bug for the new problem.

Thank you.

Still failing with the ipv6 firewall below (ipv4 firewall disabled).

Oct 20 20:19:06 zippy kernel: IN=sit1 OUT=
MAC=00:0f:ea:42:53:ce:00:14:7f:35:c8:d2:08:00:45:08:00:68:00:14:00:00:f6:29:e6:c0:d5:79:18:55:58:60:97:61
TUNNEL=213.121.24.85->88.96.151.97 SRC=2001:06b0:0001:00ea:0202:a5ff:fecd:13a6
DST=2001:0618:0400:0000:0000:0000:5860:9761 LEN=84 TC=8 HOPLIMIT=52
FLOWLBL=1011012 PROTO=TCP SPT=80 DPT=50252 WINDOW=65535 RES=0x00 ACK SYN URGP=0

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT

ipv6 connection tracking is incomplete in current kernels (and isn't likely to
get upstream until at least 2.6.20).  Userspace shouldn't be trying to use it yet.

2.6.21 of FC6 and F7 now supports IPv6 connection tracking, see also 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244729

Works for me.

Is this fixed for you now?
Can this bug get closed?

Connection tracking work fine now with Fedora 7. The only current issue is that
the ip6tables service starts before the ipv6 setup has completed. The result is
that the firewall rules are inactive after a reboot. Doing "service ip6tables
restart" fixes this.

You last suggested problem is a different one. This has been addressed in the
iptables-1.3.8-2 pakage in F-7-testing.

Closing this one as "NOT A BUG".