Bug 229879 – spew on startup of ip6tables

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 229879 - spew on startup of ip6tables

Summary:	spew on startup of ip6tables

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	system-config-firewall (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Thomas Woerner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Duplicates:	230019 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2007-02-23 17:52 EST by Dave Jones
Modified:	2015-01-04 17:29 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-10-01 09:57:40 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Dave Jones 2007-02-23 17:52:26 EST

with a fresh install of todays rawhide I see this when ip6tables starts up..

Warning: never matched p[  OK  ] 51. use exension match instead

Comment 1 Peter Bieringer 2007-06-18 15:08:33 EDT

Don't worry, be happy that ip6tables is at least starting ;-) 
See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244721 and
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236888 for more

Comment 2 Peter Bieringer 2007-06-20 17:18:10 EDT

There are more issues

1) message is caused by:

# ip6tables -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
Warning: never matched protocol: 51. use exension match instead.[root@host
sysconfig]#

Note that there is a linefeed also missing


2) Looks like there is a need of a discussion with netfilter folks, why they
mean, that in IPv6 an Authentication Header can never be occur as first
transport header behind the IPv6 header


3) If one try to setup a rule using IPv6 header matching (according to the
netfilter warning message), this would fail because of missing library:

# ip6tables -A RH-Firewall-1-INPUT --match ipv6header --header 51 -j ACCEPT
ip6tables v1.3.7: Couldn't load match
`ipv6header':/lib/iptables/libip6t_ipv6header.so: cannot open shared object
file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.


Note that the kernel would support this:
# modprobe ip6t_ipv6header
# cat /proc/net/ip6_tables_matches 
ipv6header
state
udplite
udp
tcp
icmp6

This missing userspace support is already known for

FC6:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165145

RHEL4:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244048

RHEL5:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244047

I really wonder why this bug can't be fixed since August 2005.

Comment 3 Thomas Woerner 2007-08-23 08:21:14 EDT

*** Bug 230019 has been marked as a duplicate of this bug. ***

Comment 4 Thomas Woerner 2007-09-26 11:43:26 EDT

Assigning to system-config-firewall.

Comment 5 Thomas Woerner 2007-10-01 09:57:40 EDT

Fixed in rawhide in package system-config-firewall-1.0.8-1 or newer.

Note You need to log in before you can comment on or make changes to this bug.