Bug 165145 - ip6tables doesn't support match ipv6header, while kernel would support it
ip6tables doesn't support match ipv6header, while kernel would support it
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-04 13:41 EDT by Peter Bieringer
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-10 05:18:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Peter Bieringer 2005-08-04 13:41:55 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
ip6tables misses a library to control the match ipv6header, but option is already mentioned in man page.

Version-Release number of selected component (if applicable):
iptables-ipv6-1.3.0-2  kernel-2.6.12-1.1398_FC4

How reproducible:
Always

Steps to Reproduce:
1. enable IPv6
2. enable IPv6 firewalling
3. add a rule to match IPv6 fragments:
# ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT


Actual Results:  # ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT
ip6tables v1.3.0: Couldn't load match `ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

Expected Results:  Proper working

Additional info:

As you see, the related kernel module already exists.

# find /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ -name '*ipv6header*'
/lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko
[root@gatemuc ~]# find /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ -name '*ipv6header*' -ls
586288    4 -rwxr--r--   1 root     root         4060 Jul 15 08:15 /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko

Hopefully an updated version of iptables-ipv6 will be released soon.
Comment 1 Thomas Woerner 2005-11-18 07:07:29 EST
This has to get fixed in glibc-kernheaders - there is no ip6t_ipv6header.h.
Comment 2 Christian Iseli 2007-01-22 06:35:45 EST
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 3 Peter Bieringer 2007-01-22 06:44:29 EST
Still happen on FC6

iptables-ipv6-1.3.5-1.2.1
kernel 2.6.18-1.2869.fc6

# ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT
ip6tables v1.3.5: Couldn't load match
`ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object
file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

# find /lib/modules/2.6.19-1.2895.fc6/kernel/net/ipv6/netfilter/ -name
'*ipv6header*' -ls
144896   12 -rwxr--r--   1 root     root         8364 Jan 11 02:25
/lib/modules/2.6.19-1.2895.fc6/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko


Comment 4 Peter Bieringer 2007-04-11 08:34:07 EDT
Still happen on current FC6

kernel-2.6.20-1.2933.fc6
iptables-ipv6-1.3.5-1.2.1

# ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT
ip6tables v1.3.5: Couldn't load match
`ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object
file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
Comment 5 David Woodhouse 2007-04-11 09:46:33 EDT
Not a glibc-kernheaders problem in FC-6. There _is_ no glibc-kernheaders in FC-6.

Doesn't seem to be a bug in the kernel package either -- the header file
/usr/include/linux/netfilter_ipv6/ip6t_ipv6header.h does seem to be present.
Comment 6 Chris Lalancette 2007-06-13 10:26:31 EDT
Please see BZ 244047; it's the RHEL-5 version of this same problem, and I have
at least more closely identified the problem there.

Chris Lalancette
Comment 7 Peter Bieringer 2007-06-20 17:15:47 EDT
Additional issue rising up on F7:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229879
Comment 8 Peter Bieringer 2007-06-20 17:19:28 EDT
See also now
RHEL4:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244048

RHEL5:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244047

Is it impossible to fix this bug?
Comment 10 Thomas Woerner 2007-08-29 10:40:01 EDT
Please have a look at iptables-1.3.8-2.fc6 in the testing tree.
Comment 11 Peter Bieringer 2007-08-29 15:48:53 EDT
Because I migrate more and more systems to F7, I have to look for a FC6 system
now to test the provided update.
Comment 12 Peter Bieringer 2007-09-01 08:59:52 EDT
Checked on FC6, looks like working. Should I copy this BZ also to F7 or will it
get automatically also an update?
Comment 13 Thomas Woerner 2007-09-10 05:18:49 EDT
Fixed in updates in package iptables-1.3.8-2.fc6.

Note You need to log in before you can comment on or make changes to this bug.