Bug 806017

Summary: conntrack thinks that ICMPv6 Echo reply to ICMPv6 Echo request sent to IPv6 multicast address is INVALID
Product: [Fedora] Fedora Reporter: Jiri Popelka <jpopelka>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 17CC: gansalmon, itamar, jonathan, jpopelka, kernel-maint, madhu.chinakonda, nhorman, twoerner
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: firewalld-0.2.5-1.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-24 04:26:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Packet dump from machine A where you can see step (3) and (4). none

Description Jiri Popelka 2012-03-22 17:15:31 UTC 
1) I have two virtual machines with interfaces on the same link:
A) fe80::5054:ff:fe09:e0b9/64
B) fe80::5054:ff:fe80:d951/64

2) I set up IPv6 packet filter on A with ip6tables:
# ip6tables -F
# ip6tables -A INPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp6-adm-prohibited
# ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
# ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited

3) ping6 B from A:
# ping6 -I eth2 fe80::5054:ff:fe80:d951
PING fe80::5054:ff:fe80:d951(fe80::5054:ff:fe80:d951) from fe80::5054:ff:fe09:e0b9 eth2: 56 data bytes
64 bytes from fe80::5054:ff:fe80:d951: icmp_seq=1 ttl=64 time=0.265 ms
<OK>

4) ping6 'all nodes' from A:
# ping6 -I eth2 ff02::1
PING ff02::1(ff02::1) from fe80::5054:ff:fe09:e0b9 eth2: 56 data bytes
<reply is rejected>

5) remove the first line from ip6tables
# ip6tables -D INPUT 1

6 ping6 'all nodes' from A:
# ping6 -I eth2 ff02::1
PING ff02::1(ff02::1) from fe80::5054:ff:fe09:e0b9 eth2: 56 data bytes
64 bytes from fe80::5054:ff:fe09:e0b9: icmp_seq=1 ttl=64 time=0.072 ms
64 bytes from fe80::5054:ff:fe80:d951: icmp_seq=1 ttl=64 time=0.318 ms (DUP!)
<OK>
Comment 1 Jiri Popelka 2012-03-22 17:16:36 UTC 
Created attachment 572041 [details]
Packet dump from machine A where you can see step (3) and (4).
Comment 2 Jiri Popelka 2012-03-22 17:18:10 UTC 
The packet dump is from machine B.
Comment 3 Dave Jones 2012-03-22 21:18:15 UTC 
can you post this to netdev.org ? Interacting directly with the networking maintainers is probably going to get this fixed a lot faster than me acting as middle-man.
Comment 4 Jiri Popelka 2012-03-23 18:05:53 UTC 
I reported this to netfilter AT vger.kernel.org couple hours ago but still don't see it on http://www.spinics.net/lists/netfilter/.

Anyway we can close this as UPSTREAM I think.
Comment 5 Thomas Woerner 2012-03-26 17:53:17 UTC 
Reopening against firewalld
Comment 6 Thomas Woerner 2012-03-26 17:53:46 UTC 
Fixed upstream in commit:

commit f03c76eff658d65392905c357b4af694bbcad07a
Author: Thomas Woerner <twoerner>
Date:   Mon Mar 26 19:51:12 2012 +0200

    Removed conntrack --ctstate INVALID check from default ruleset, because it
    results in ICMP problems (RHBZ#806017).
    Added conntrack --ctstate NEW matches to all settings for zones.
    
    * src/firewall/core/fw_zone.py
    - added conntrack --ctstate NEW match
    * src/firewall/core/ipXtables.py
    - removed conntrack --ctstate INVALID check from default rules
Comment 7 Fedora Update System 2012-04-20 19:54:13 UTC 
firewalld-0.2.5-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/firewalld-0.2.5-1.fc17
Comment 8 Fedora Update System 2012-04-21 21:04:02 UTC 
Package firewalld-0.2.5-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.2.5-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6323/firewalld-0.2.5-1.fc17
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2012-04-24 04:26:01 UTC 
firewalld-0.2.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Jiri Popelka 2014-12-03 14:30:57 UTC 
(In reply to Jiri Popelka from comment #4)
> I reported this to netfilter AT vger.kernel.org

For record:
http://marc.info/?l=netfilter&m=133252802204019&w=2