Bug 295181

Summary: ip6tables configures the wrong IPv6 REJECT packet types
Product: [Fedora] Fedora Reporter: Peter Riley <peter.riley>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 8CC: sconklin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029077.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-24 16:10:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Updates old ip6t_REJECT.h header in iptables package to newer one from kernel-headers package. none

Description Peter Riley 2007-09-18 17:35:14 UTC 
Hello!

I am cloning Bug #253014 (filed against RHEL5) for Fedora 8 Test2, which is 
also affected and where it will hopefully receive some attention.  This bug 
actually affects RHEL5 and all versions of Fedora since FC5.  The attached 
patch has already been applied last month in upstream svn by the netfilter 
team, but the bug still affects iptables-1.3.8 which F8 is releasing.

Basically there is an old, incompatible header file for the IPv6 REJECT target 
in iptables-1.3.8.
It causes this problem (among others) with ip6tables:

###############################################################################

# ip6tables -I INPUT 1 -i lo -p tcp --dport 22 -j REJECT --reject-with tcp-reset
# ip6tables -nxvL INPUT | head -3
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts    bytes target   prot opt in   out  source   destination
     0        0 REJECT   tcp      lo   *    ::/0     ::/0    tcp dpt:22 reject-
with tcp-reset

# ssh -6 ::1
ssh: connect to host ::1 port 22: Connection refused

# tcpdump -i lo -t -nn -s0 ip6  ### on separate xterm
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes IP6
 ::1.56371 > ::1.22: S 25897503:25897503(0) win 32752 <mss 
16376,sackOK,timestamp 3441643437 0,nop,wscale 7>
IP6 ::1 > ::1: ICMP6, destination unreachable, unreachable port, ::1 tcp port 
22, length 88

###############################################################################

So the ip6tables firewall is clearly configured to respond with **tcp-reset**, 
but the actual packet sent is as if it were **icmp6-port-unreachable**.  There 
are other inconsistencies as well.


This misbehavior can be traced to conflicting enumerations of constants in 
different header files from iptables vs the kernel-headers:


iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h
---------------------------------------------------------
  1:#ifndef _IP6T_REJECT_H
  2:	#define _IP6T_REJECT_H
  3:	
  4:	enum ip6t_reject_with {
  5:		IP6T_ICMP6_NO_ROUTE,
  6:		IP6T_ICMP6_ADM_PROHIBITED,
  7:		IP6T_ICMP6_ADDR_UNREACH,
  8:		IP6T_ICMP6_PORT_UNREACH,
  9:		IP6T_TCP_RESET
 10:	};
 11:	
 12:	struct ip6t_reject_info {
 13:		enum ip6t_reject_with with;      /* reject type */
 14:	};
 15:	
 16:	#endif /*_IP6T_REJECT_H*/



linux-2.6.18/include/linux/netfilter_ipv6/ip6t_REJECT.h
-------------------------------------------------------
  1:	#ifndef _IP6T_REJECT_H
  2:	#define _IP6T_REJECT_H
  3:	
  4:	enum ip6t_reject_with {
  5:		IP6T_ICMP6_NO_ROUTE,
  6:		IP6T_ICMP6_ADM_PROHIBITED,
  7:		IP6T_ICMP6_NOT_NEIGHBOUR,
  8:		IP6T_ICMP6_ADDR_UNREACH,
  9:		IP6T_ICMP6_PORT_UNREACH,
 10:		IP6T_ICMP6_ECHOREPLY,
 11:		IP6T_TCP_RESET
 12:	};
 13:	
 14:	struct ip6t_reject_info {
 15:		u_int32_t	with;	/* reject type */
 16:	};
 17:	
 18:	#endif /*_IP6T_REJECT_H*/


The attached patch merely updates the old ip6t_REJECT.h header file in the 
iptables package to the newer one from the kernel-headers package. I tested on 
RHEL5 that it does indeed fix this bug for me when building iptables under 
rpmbuild with the spec file that Red Hat/Fedora uses.  (The bug only appears 
when building the way Red Hat/Fedora do under rpmbuild with KERNEL_DIR=/usr.  
It doesn't appear when building against the actual kernel sources, as the 
netfilter docs direct.)


RHEL5 Bug #253014 has some more details:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253014

Netfilter upstream thread report and resolution is here:
https://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029077.html
https://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029122.html

Upstream svn:
http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/iptables/include/linux/
netfilter_ipv6/ip6t_REJECT.h?rev=7009&view=log


Best Regards!
Comment 1 Peter Riley 2007-09-18 17:35:14 UTC 
Created attachment 198641 [details]
Updates old ip6t_REJECT.h header in iptables package to newer one from kernel-headers package.
Comment 2 Thomas Woerner 2007-09-24 16:10:58 UTC 
Fixed in rawhide in package iptables-1.3.8-4 or newer.