Red Hat Bugzilla – Bug 165145
ip6tables doesn't support match ipv6header, while kernel would support it
Last modified: 2007-11-30 17:11:11 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6 Description of problem: ip6tables misses a library to control the match ipv6header, but option is already mentioned in man page. Version-Release number of selected component (if applicable): iptables-ipv6-1.3.0-2 kernel-2.6.12-1.1398_FC4 How reproducible: Always Steps to Reproduce: 1. enable IPv6 2. enable IPv6 firewalling 3. add a rule to match IPv6 fragments: # ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT Actual Results: # ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT ip6tables v1.3.0: Couldn't load match `ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object file: No such file or directory Try `ip6tables -h' or 'ip6tables --help' for more information. Expected Results: Proper working Additional info: As you see, the related kernel module already exists. # find /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ -name '*ipv6header*' /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko [root@gatemuc ~]# find /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ -name '*ipv6header*' -ls 586288 4 -rwxr--r-- 1 root root 4060 Jul 15 08:15 /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko Hopefully an updated version of iptables-ipv6 will be released soon.
This has to get fixed in glibc-kernheaders - there is no ip6t_ipv6header.h.
This report targets the FC3 or FC4 products, which have now been EOL'd. Could you please check that it still applies to a current Fedora release, and either update the target product or close it ? Thanks.
Still happen on FC6 iptables-ipv6-1.3.5-1.2.1 kernel 2.6.18-1.2869.fc6 # ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT ip6tables v1.3.5: Couldn't load match `ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object file: No such file or directory Try `ip6tables -h' or 'ip6tables --help' for more information. # find /lib/modules/2.6.19-1.2895.fc6/kernel/net/ipv6/netfilter/ -name '*ipv6header*' -ls 144896 12 -rwxr--r-- 1 root root 8364 Jan 11 02:25 /lib/modules/2.6.19-1.2895.fc6/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko
Still happen on current FC6 kernel-2.6.20-1.2933.fc6 iptables-ipv6-1.3.5-1.2.1 # ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT ip6tables v1.3.5: Couldn't load match `ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object file: No such file or directory Try `ip6tables -h' or 'ip6tables --help' for more information.
Not a glibc-kernheaders problem in FC-6. There _is_ no glibc-kernheaders in FC-6. Doesn't seem to be a bug in the kernel package either -- the header file /usr/include/linux/netfilter_ipv6/ip6t_ipv6header.h does seem to be present.
Please see BZ 244047; it's the RHEL-5 version of this same problem, and I have at least more closely identified the problem there. Chris Lalancette
Additional issue rising up on F7: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229879
See also now RHEL4: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244048 RHEL5: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244047 Is it impossible to fix this bug?
Please have a look at iptables-1.3.8-2.fc6 in the testing tree.
Because I migrate more and more systems to F7, I have to look for a FC6 system now to test the provided update.
Checked on FC6, looks like working. Should I copy this BZ also to F7 or will it get automatically also an update?
Fixed in updates in package iptables-1.3.8-2.fc6.