Bug 1591867 - firewalld blocks neighbor discovery
Summary: firewalld blocks neighbor discovery
Keywords:
Status: CLOSED DUPLICATE of bug 1575431
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 28
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Eric Garver
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-15 17:35 UTC by Pete Zaitcev
Modified: 2018-06-15 21:51 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-06-15 21:51:57 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Pete Zaitcev 2018-06-15 17:35:26 UTC 
Description of problem:

All ssh connections (using IPv6) cycle hanging for a short time, working
a few seconds, and hanging again. Stopping firewalld allows traffic.

The problem appeared as soon as the system was updated from Fedora 27.

Version-Release number of selected component (if applicable):

firewalld-0.5.2-2.fc28.noarch
kernel-4.16.14-300.fc28.x86_64

How reproducible:

Unknown. On the affected site, it's 100%.

Steps to Reproduce:
1. ping6 router
2. observe periodic packet loss

Actual results:

Hanging ssh connections

Expected results:

No hang, like in Fedora 27

Additional info:

It appears that although ssh and ping are not blocked, firewalld blocks
neighbor discovery. Therefore, traffic works from the moment of router
advertisement until caches expire; the discovery is blocked and cannot
do anything. When router advertises, traffic resumes.

The moment of the hang looks like this:

10:59:38.829632 IP6 fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3 > fd2d:acfb:74cc:1::1: ICMP6, echo request, seq 924, length 64
10:59:38.836570 IP6 fd2d:acfb:74cc:1::1 > fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3: ICMP6, echo reply, seq 924, length 64
10:59:39.236505 IP6 fe80::2 > ff02::1: ICMP6, router advertisement, length 112
10:59:39.251581 IP6 fe80::5ee0:c5ff:fe8c:47b3 > fd2d:acfb:74cc:5::2: ICMP6, neighbor solicitation, who has fd2d:acfb:74cc:5::2, length 32
10:59:39.257007 IP6 fd2d:acfb:74cc:5::2 > fe80::5ee0:c5ff:fe8c:47b3: ICMP6, neighbor advertisement, tgt is fd2d:acfb:74cc:5::2, length 24
10:59:39.656628 ARP, Request who-has 192.168.132.4 tell 192.168.132.2, length 46
10:59:39.656702 ARP, Reply 192.168.132.4 is-at 5c:e0:c5:8c:47:b3, length 28
10:59:39.831034 IP6 fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3 > fd2d:acfb:74cc:1::1: ICMP6, echo request, seq 925, length 64
10:59:39.863297 IP6 fe80::2 > ff02::1:ff8c:47b3: ICMP6, neighbor solicitation, who has fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3, length 32
10:59:40.851749 IP6 fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3 > fd2d:acfb:74cc:1::1: ICMP6, echo request, seq 926, length 64
10:59:40.907774 IP6 fe80::2 > ff02::1:ff8c:47b3: ICMP6, neighbor solicitation, who has fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3, length 32
10:59:41.875789 IP6 fd2d:acfb:74cc:5:5ee0:c5ff:fe8c:47b3 > fd2d:acfb:74cc:1::1: ICMP6, echo request, seq 927, length 64

The states of neighbors in "ip neigh" cycle through DELAY and STALE too.

For completeness, here's the firewall-cmd output:

[root@lembas zaitcev]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp2s0
  sources: 
  services: mdns dhcpv6-client ssh
  ports: 6881/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@lembas zaitcev]#
Comment 1 Pete Zaitcev 2018-06-15 21:51:57 UTC 

*** This bug has been marked as a duplicate of bug 1575431 ***
Note You need to log in before you can comment on or make changes to this bug.