Bug 165145 – ip6tables doesn't support match ipv6header, while kernel would support it

Bug 165145 - ip6tables doesn't support match ipv6header, while kernel would support it

Summary:	ip6tables doesn't support match ipv6header, while kernel would support it

Status:	CLOSED ERRATA

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	iptables (Show other bugs)
Sub Component:
Version:	6
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Thomas Woerner
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2005-08-04 13:41 EDT by Peter Bieringer
Modified:	2007-11-30 17:11 EST (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-09-10 05:18:49 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Peter Bieringer 2005-08-04 13:41:55 EDT

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
ip6tables misses a library to control the match ipv6header, but option is already mentioned in man page.

Version-Release number of selected component (if applicable):
iptables-ipv6-1.3.0-2  kernel-2.6.12-1.1398_FC4

How reproducible:
Always

Steps to Reproduce:
1. enable IPv6
2. enable IPv6 firewalling
3. add a rule to match IPv6 fragments:
# ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT


Actual Results:  # ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT
ip6tables v1.3.0: Couldn't load match `ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

Expected Results:  Proper working

Additional info:

As you see, the related kernel module already exists.

# find /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ -name '*ipv6header*'
/lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko
[root@gatemuc ~]# find /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ -name '*ipv6header*' -ls
586288    4 -rwxr--r--   1 root     root         4060 Jul 15 08:15 /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko

Hopefully an updated version of iptables-ipv6 will be released soon.

Comment 1 Thomas Woerner 2005-11-18 07:07:29 EST

This has to get fixed in glibc-kernheaders - there is no ip6t_ipv6header.h.

Comment 2 Christian Iseli 2007-01-22 06:35:45 EST

This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.

Comment 3 Peter Bieringer 2007-01-22 06:44:29 EST

Still happen on FC6

iptables-ipv6-1.3.5-1.2.1
kernel 2.6.18-1.2869.fc6

# ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT
ip6tables v1.3.5: Couldn't load match
`ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object
file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

# find /lib/modules/2.6.19-1.2895.fc6/kernel/net/ipv6/netfilter/ -name
'*ipv6header*' -ls
144896   12 -rwxr--r--   1 root     root         8364 Jan 11 02:25
/lib/modules/2.6.19-1.2895.fc6/kernel/net/ipv6/netfilter/ip6t_ipv6header.ko

Comment 4 Peter Bieringer 2007-04-11 08:34:07 EDT

Still happen on current FC6

kernel-2.6.20-1.2933.fc6
iptables-ipv6-1.3.5-1.2.1

# ip6tables -I INPUT --match ipv6header --header ipv6-frag -j ACCEPT
ip6tables v1.3.5: Couldn't load match
`ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object
file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

Comment 5 David Woodhouse 2007-04-11 09:46:33 EDT

Not a glibc-kernheaders problem in FC-6. There _is_ no glibc-kernheaders in FC-6.

Doesn't seem to be a bug in the kernel package either -- the header file
/usr/include/linux/netfilter_ipv6/ip6t_ipv6header.h does seem to be present.

Comment 6 Chris Lalancette 2007-06-13 10:26:31 EDT

Please see BZ 244047; it's the RHEL-5 version of this same problem, and I have
at least more closely identified the problem there.

Chris Lalancette

Comment 7 Peter Bieringer 2007-06-20 17:15:47 EDT

Additional issue rising up on F7:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229879

Comment 8 Peter Bieringer 2007-06-20 17:19:28 EDT

See also now
RHEL4:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244048

RHEL5:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244047

Is it impossible to fix this bug?

Comment 10 Thomas Woerner 2007-08-29 10:40:01 EDT

Please have a look at iptables-1.3.8-2.fc6 in the testing tree.

Comment 11 Peter Bieringer 2007-08-29 15:48:53 EDT

Because I migrate more and more systems to F7, I have to look for a FC6 system
now to test the provided update.

Comment 12 Peter Bieringer 2007-09-01 08:59:52 EDT

Checked on FC6, looks like working. Should I copy this BZ also to F7 or will it
get automatically also an update?

Comment 13 Thomas Woerner 2007-09-10 05:18:49 EDT

Fixed in updates in package iptables-1.3.8-2.fc6.

Note You need to log in before you can comment on or make changes to this bug.