Bug 190590
Summary: | Connection tracking fails with iptables-ipv6 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Per Steinar Iversen <persteinar.iversen> |
Component: | iptables | Assignee: | Thomas Woerner <twoerner> |
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | davej, dedourek, jcliburn, paul.0000.black, pb, rvokal, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-08-29 12:28:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Per Steinar Iversen
2006-05-03 19:23:41 UTC
Is there any error or warning message when you apply the filter rules? Is the output of ip6tables-save the same as the the input, you gave to ip6tables-restore? No, there are no warnings: # service ip6tables start Applying ip6tables firewall rules: [ OK ] In the syslog there is only: kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team There are some slight formatting differences with ip6tables-save compared to my example, but this does not seem to matter, this version too has the same problem. Ok, then this is a kernel netfilter problem and not a iptables userland problem. Assigning to kernel. I disagree with comment #3. I believe this is a userland problem. I just ran across this issue and the problem isn't that netfilter doesn't do stateful filtering (I wish it did, but it doesn't); the problem is that system-config-securitylevel (or whatever generates ip6tables rules in Fedora) writes ip6tables rules that *assume* netfilter has functionality it doesn't have. The bottom line is this: if a user activates ip6tables on a Fedora system, the default rules generated by Fedora will prevent the proper functioning of IPv6 traffic to and from that system. This is not netfilter's fault, it's the rule generator's fault. A new kernel update has been released (Version: 2.6.18-1.2200.fc5) based upon a new upstream kernel release. Please retest against this new kernel, as a large number of patches go into each upstream release, possibly including changes that may address this problem. This bug has been placed in NEEDINFO state. Due to the large volume of inactive bugs in bugzilla, if this bug is still in this state in two weeks time, it will be closed. Should this bug still be relevant after this period, the reporter can reopen the bug at any time. Any other users on the Cc: list of this bug can request that the bug be reopened by adding a comment to the bug. In the last few updates, some users upgrading from FC4->FC5 have reported that installing a kernel update has left their systems unbootable. If you have been affected by this problem please check you only have one version of device-mapper & lvm2 installed. See bug 207474 for further details. If this bug is a problem preventing you from installing the release this version is filed against, please see bug 169613. If this bug has been fixed, but you are now experiencing a different problem, please file a separate bug for the new problem. Thank you. Still failing with the ipv6 firewall below (ipv4 firewall disabled). Oct 20 20:19:06 zippy kernel: IN=sit1 OUT= MAC=00:0f:ea:42:53:ce:00:14:7f:35:c8:d2:08:00:45:08:00:68:00:14:00:00:f6:29:e6:c0:d5:79:18:55:58:60:97:61 TUNNEL=213.121.24.85->88.96.151.97 SRC=2001:06b0:0001:00ea:0202:a5ff:fecd:13a6 DST=2001:0618:0400:0000:0000:0000:5860:9761 LEN=84 TC=8 HOPLIMIT=52 FLOWLBL=1011012 PROTO=TCP SPT=80 DPT=50252 WINDOW=65535 RES=0x00 ACK SYN URGP=0 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -j LOG -A RH-Firewall-1-INPUT -j DROP COMMIT ipv6 connection tracking is incomplete in current kernels (and isn't likely to get upstream until at least 2.6.20). Userspace shouldn't be trying to use it yet. 2.6.21 of FC6 and F7 now supports IPv6 connection tracking, see also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244729 Works for me. Is this fixed for you now? Can this bug get closed? Connection tracking work fine now with Fedora 7. The only current issue is that the ip6tables service starts before the ipv6 setup has completed. The result is that the firewall rules are inactive after a reboot. Doing "service ip6tables restart" fixes this. You last suggested problem is a different one. This has been addressed in the iptables-1.3.8-2 pakage in F-7-testing. Closing this one as "NOT A BUG". |