Bug 165145 - ip6tables doesn't support match ipv6header, while kernel would support it
Summary: ip6tables doesn't support match ipv6header, while kernel would support it
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: 6
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-04 17:41 UTC by Peter Bieringer
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-09-10 09:18:49 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Peter Bieringer 2005-08-04 17:41:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
ip6tables misses a library to control the match ipv6header, but option is already mentioned in man page.

Version-Release number of selected component (if applicable):
iptables-ipv6-1.3.0-2  kernel-2.6.12-1.1398_FC4

How reproducible:
Always

Steps to Reproduce:
1. enable IPv6
2. enable IPv6 firewalling
3. add a rule to match IPv6 fragments:
# ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT


Actual Results:  # ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT
ip6tables v1.3.0: Couldn't load match `ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

Expected Results:  Proper working

Additional info:

As you see, the related kernel module already exists.

# find /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ -name '*ipv6header*'
/lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko
[root@gatemuc ~]# find /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ -name '*ipv6header*' -ls
586288    4 -rwxr--r--   1 root     root         4060 Jul 15 08:15 /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko

Hopefully an updated version of iptables-ipv6 will be released soon.

Comment 1 Thomas Woerner 2005-11-18 12:07:29 UTC
This has to get fixed in glibc-kernheaders - there is no ip6t_ipv6header.h.

Comment 2 Christian Iseli 2007-01-22 11:35:45 UTC
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.

Comment 3 Peter Bieringer 2007-01-22 11:44:29 UTC
Still happen on FC6

iptables-ipv6-1.3.5-1.2.1
kernel 2.6.18-1.2869.fc6

# ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT
ip6tables v1.3.5: Couldn't load match
`ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object
file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

# find /lib/modules/2.6.19-1.2895.fc6/kernel/net/ipv6/netfilter/ -name
'*ipv6header*' -ls
144896   12 -rwxr--r--   1 root     root         8364 Jan 11 02:25
/lib/modules/2.6.19-1.2895.fc6/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko




Comment 4 Peter Bieringer 2007-04-11 12:34:07 UTC
Still happen on current FC6

kernel-2.6.20-1.2933.fc6
iptables-ipv6-1.3.5-1.2.1

# ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT
ip6tables v1.3.5: Couldn't load match
`ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object
file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

Comment 5 David Woodhouse 2007-04-11 13:46:33 UTC
Not a glibc-kernheaders problem in FC-6. There _is_ no glibc-kernheaders in FC-6.

Doesn't seem to be a bug in the kernel package either -- the header file
/usr/include/linux/netfilter_ipv6/ip6t_ipv6header.h does seem to be present.

Comment 6 Chris Lalancette 2007-06-13 14:26:31 UTC
Please see BZ 244047; it's the RHEL-5 version of this same problem, and I have
at least more closely identified the problem there.

Chris Lalancette

Comment 7 Peter Bieringer 2007-06-20 21:15:47 UTC
Additional issue rising up on F7:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229879

Comment 8 Peter Bieringer 2007-06-20 21:19:28 UTC
See also now
RHEL4:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244048

RHEL5:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244047

Is it impossible to fix this bug?

Comment 10 Thomas Woerner 2007-08-29 14:40:01 UTC
Please have a look at iptables-1.3.8-2.fc6 in the testing tree.

Comment 11 Peter Bieringer 2007-08-29 19:48:53 UTC
Because I migrate more and more systems to F7, I have to look for a FC6 system
now to test the provided update.

Comment 12 Peter Bieringer 2007-09-01 12:59:52 UTC
Checked on FC6, looks like working. Should I copy this BZ also to F7 or will it
get automatically also an update?

Comment 13 Thomas Woerner 2007-09-10 09:18:49 UTC
Fixed in updates in package iptables-1.3.8-2.fc6.


Note You need to log in before you can comment on or make changes to this bug.