Bug 805405
Summary: | NM adds device to firewall zone after successful activation, causing a DHCPv6 catch-22 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tore Anderson <tore> | ||||
Component: | NetworkManager | Assignee: | Dan Williams <dcbw> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 17 | CC: | awilliam, bruno, dcbw, jpopelka, jsmith.fedora, rbergero, robatino, satellitgo, twoerner | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | AcceptedBlocker | ||||||
Fixed In Version: | NetworkManager-0.9.3.997-1.git20120321.fc17 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-03-23 17:43:20 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 752649 | ||||||
Attachments: |
|
Description
Tore Anderson
2012-03-21 07:54:25 UTC
Created attachment 571622 [details]
syslog from when reproducing the problem
This syslog shows the problem happening repeatedly immediately after booting up firewalld-20120319-x86_64.iso. There are some comments in there I added using "logger -t" of what I did and when. Note that the final connection succeeded (and the interface was added to the public zone), because I manually punched a hole for DHCPv6 client traffic in the ip6tables ruleset.
This is using wired ethernet, however the exact same thing happens on WiFi as well.
I added some people to the CC list, too. This is because even though I filed this bug on the NetworkManager package, it can just as well be fully solved through modifying firewalld only. I believe Dan, Thomas, and Jiri should reach an agreement on who should implement the fix and where - and if it is in firewalld, the bug should be reassigned accordingly.
No, those two bugs are unrelated and confirmed fixed in the latest NM proposed update (if they weren't the connection would still not have succeeded even after manually punching the ip6tables hole for dhcpv6-client). However they did prevent me from noticing this problem until now, unfortunately. Tore +1 blocker, I'm +1 on anything Tore says stops IPv6 working out of the box. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers I've remembered that something similar (NM - dhcp - firewalld) was discussed on networkmanager-list AT gnome.org
On 08/01/2011 10:24 AM, Ludwig Nussel wrote:
> Dan Williams wrote:
>> One other note; if we want to block a bit on the firewall setting things
>> up, we want to slot this in during "stage3" (ip config start) before
>> "stage4" (ip config get) gets called, because only them do we know the
>> actual interface name to send to the firewall. For things like PPP,
>> PPPoE, Bluetooth DUN, etc, we don't know the actual IP interface name
>> until halfway through the connection setup process. But at that point
>> it should be safe to block for a short time for the firewall to do its
>> work.
>>
>> One other thought though, how do we handle DHCP with the firewall? NM
>> tries to do DHCP (which might need holes punched and stuff) during
>> "stage3", which in my proposal above is before the firewall would be
>> told the interface name. Is that a problem?
>
> DHCP clients bypass iptables for address configuration so the core
> DHCP feature should be fine. If the DHCP client or some hook script
> performs e.g. DNS lookups working connection tracking might be needed
> though. As long as the firewall always has a fallback rule that
> allows such kind of traffic for unassigned interfaces it's fine though.
But we obviously forgot about dhcpv6.
+1 blocker. +1 blocker +1 blocker that's 3 +1s, accepting as blocker per criterion "The installed system must be able to download and install updates with yum and the default graphical package manager in all release-blocking desktops" (as a proxy for 'network must work') in the IPv6 network case. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers NetworkManager-0.9.3.997-1.git20120321.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/NetworkManager-0.9.3.997-1.git20120321.fc17 +1 blocker NetworkManager-0.9.3.997-1.git20120321.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |