Bug 232933 - netfilter misses connection tracking support for IPv6
Summary: netfilter misses connection tracking support for IPv6
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Thomas Graf
QA Contact: Martin Jenner
: 577419 (view as bug list)
Depends On: 488007
TreeView+ depends on / blocked
Reported: 2007-03-19 15:23 UTC by Peter Bieringer
Modified: 2018-11-27 21:43 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-06-14 10:20:29 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Peter Bieringer 2007-03-19 15:23:01 UTC
Description of problem:
Shipped kernel does not support IPv6 connection tracking in netfilter.

Version-Release number of selected component (if applicable):

Expected results:
RHEL5 would be shipped with IPv6 connection tracking in netfilter.

Additional info:
Have I wait another 18 months to get a Enterprise Linux version which finally
supports IPv6 connection tracking or would there be a backport from 2.6.20
available in an acceptable timeframe?

Comment 1 Jarod Wilson 2007-09-02 04:21:51 UTC
I believe we've taken in a patch to address this issue in rhel5.1. The 5.1 beta kernels contain the 

Fixes IPv6 fragments bypass issue in the conntracking code. The
patch has been merged into the stable tree already. Please ACK.

commit 868f0120e0f93d070ea7f3e969c09dbab8ad7bc7
Author: Patrick McHardy <kaber>

    nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED

    [NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED

    The individual fragments of a packet reassembled by conntrack have the
    conntrack reference from the reassembled packet attached, but nfctinfo
    is not copied. This leaves it initialized to 0, which unfortunately is
    the value of IP_CT_ESTABLISHED.

    The result is that all IPv6 fragments are tracked as ESTABLISHED,
    allowing them to bypass a usual ruleset which accepts ESTABLISHED
    packets early.

    Signed-off-by: Patrick McHardy <kaber>
    Signed-off-by: Greg Kroah-Hartman <gregkh>

Index: linux-2.6.18.noarch/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
--- linux-2.6.18.noarch.orig/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c     2006-09-20 
05:42:06.000000000 +0200
+++ linux-2.6.18.noarch/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c  2007-05-02 
22:26:11.000000000 +0200
@@ -264,6 +264,7 @@ static unsigned int ipv6_conntrack_in(un
                (*pskb)->nfct = reasm->nfct;
+               (*pskb)->nfctinfo = reasm->nfctinfo;
                return NF_ACCEPT;

Perhaps Thomas can confirm if this is indeed a complete fix for the described problem, but please also 
try out the latest beta kernels and report back with testing results.


Comment 2 Peter Bieringer 2007-09-02 16:02:34 UTC
Are you sure that such minor patch enables IPv6 connection tracking in kernel
series 2.6.18? I wouldn't believe this and would assume, that the whole change
in connection tracking code made between 2.6.18 and 2.6.20 (switch to xtables)
is necessary to support this.

See here on RHEL5:

# ls /lib/modules/2.6.18-8.1.8.el5/kernel/net/ipv6/netfilter/
ip6_queue.ko        ip6_tables.ko  ip6t_frag.ko  ip6t_ipv6header.ko  ip6t_rt.ko
ip6table_filter.ko  ip6t_ah.ko     ip6t_hbh.ko   ip6t_LOG.ko
ip6table_mangle.ko  ip6t_dst.ko    ip6t_hl.ko    ip6t_owner.ko
ip6table_raw.ko     ip6t_eui64.ko  ip6t_HL.ko    ip6t_REJECT.ko

And compare this with F7:
$ ls /lib/modules/
ip6_queue.ko        ip6t_ah.ko     ip6t_HL.ko          ip6t_REJECT.ko
ip6table_filter.ko  ip6t_eui64.ko  ip6t_ipv6header.ko  ip6t_rt.ko
ip6table_mangle.ko  ip6t_frag.ko   ip6t_LOG.ko         nf_conntrack_ipv6.ko
ip6table_raw.ko     ip6t_hbh.ko    ip6t_mh.ko
ip6_tables.ko       ip6t_hl.ko     ip6t_owner.ko

At least the module nf_conntrack_ipv6 is missing.

A short test shows, while you can specify -m state --state ESTABLISHED in
ip6tables, this won't work in 2.6.18. Test for yourself with following policy:

# ip6tables -vnL
Chain INPUT (policy ACCEPT 5 packets, 584 bytes)
 pkts bytes target     prot opt in     out     source               destination
   16  1792 ACCEPT     icmpv6    *      *       ::/0                 ::/0      
    0     0 ACCEPT     all      *      *       ::/0                 ::/0       
       state RELATED 
    0     0 ACCEPT     all      *      *       ::/0                 ::/0       
       state ESTABLISHED 
   10 10062 ACCEPT     tcp      *      *       ::/0                 ::/0       
       tcp spt:80 
   25  2304 LOG        all      *      *       ::/0                 ::/0       
       LOG flags 0 level 4 
   25  2304 DROP       all      *      *       ::/0                 ::/0       

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 57 packets, 4620 bytes)
 pkts bytes target     prot opt in     out     source               destination
# ip6tables -vnL

Try to connect to an IPv6 only web server, e.g. www.ipv6.bieringer.de on port
80. You will see that the connection tracking rules will not match.

Comment 3 Jarod Wilson 2007-09-12 16:24:52 UTC
I haven't a clue if it was a complete fix, that's why I'm assigning the bug over
to Thomas. :)

Comment 4 Thomas Graf 2007-09-13 08:39:07 UTC
I just asked Patrick McHardy sitting right next to me. Full connection
tracking for IPv6 has been merged in 2.6.15 but you have to use nfconntrack.

Comment 5 Peter Bieringer 2007-09-15 21:27:22 UTC
Hmmm, I did not found an option in current RHEL5 kernel source to enable
connection tracking for IPv6 (for IPv4 it exists).
Also as tests shown in https://bugzilla.redhat.com/show_bug.cgi?id=232933#c2,
IPv6 connection tracking is not working.

Afair, connection tracking for IPv6 was planned for 2.6.15 (perhaps some pieces
of code were alreay put in), but support was delayed until xtables were
introduced in 2.6.20, where it is known to work.

So my status is that 2.6.18 without a backport of the 2.6.20 xtables will still
miss a working IPv6 connection tracking.

Comment 6 Thomas Graf 2008-06-14 10:20:29 UTC
Sorry for the delay.

I checked again and IPv6 conntracking is included in RHEL5 but not enabled in
the config because the feature is still experimental. Unfortunately, backporting
xtables is not possible as such a patch would include countless kABI violations. 

A workaround would be to compile a new kernel on your own and enable
NF_CONNTRACK_IPV6 at your own risk.

Comment 9 Thomas Graf 2010-08-24 08:08:37 UTC
*** Bug 577419 has been marked as a duplicate of this bug. ***

Comment 11 Phillip Smith 2013-04-22 03:42:05 UTC
Connection tracking has been completely removed now?

~ # ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables v1.3.5: Couldn't load match `conntrack':/lib64/iptables/libip6t_conntrack.so: cannot open shared object file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

Note You need to log in before you can comment on or make changes to this bug.