Bug 229879
Summary: | spew on startup of ip6tables | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dave Jones <davej> |
Component: | system-config-firewall | Assignee: | Thomas Woerner <twoerner> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | bnocera, musuruan, pb, pfrields |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-10-01 13:57:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dave Jones
2007-02-23 22:52:26 UTC
Don't worry, be happy that ip6tables is at least starting ;-) See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244721 and https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236888 for more There are more issues 1) message is caused by: # ip6tables -A RH-Firewall-1-INPUT -p 51 -j ACCEPT Warning: never matched protocol: 51. use exension match instead.[root@host sysconfig]# Note that there is a linefeed also missing 2) Looks like there is a need of a discussion with netfilter folks, why they mean, that in IPv6 an Authentication Header can never be occur as first transport header behind the IPv6 header 3) If one try to setup a rule using IPv6 header matching (according to the netfilter warning message), this would fail because of missing library: # ip6tables -A RH-Firewall-1-INPUT --match ipv6header --header 51 -j ACCEPT ip6tables v1.3.7: Couldn't load match `ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object file: No such file or directory Try `ip6tables -h' or 'ip6tables --help' for more information. Note that the kernel would support this: # modprobe ip6t_ipv6header # cat /proc/net/ip6_tables_matches ipv6header state udplite udp tcp icmp6 This missing userspace support is already known for FC6: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165145 RHEL4: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244048 RHEL5: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244047 I really wonder why this bug can't be fixed since August 2005. *** Bug 230019 has been marked as a duplicate of this bug. *** Assigning to system-config-firewall. Fixed in rawhide in package system-config-firewall-1.0.8-1 or newer. |