Description of problem: Shipped kernel does not support IPv6 connection tracking in netfilter. Version-Release number of selected component (if applicable): kernel-2.6.18-8.1.1.el5 Expected results: RHEL5 would be shipped with IPv6 connection tracking in netfilter. Additional info: Have I wait another 18 months to get a Enterprise Linux version which finally supports IPv6 connection tracking or would there be a backport from 2.6.20 available in an acceptable timeframe?
I believe we've taken in a patch to address this issue in rhel5.1. The 5.1 beta kernels contain the following: ----- Fixes IPv6 fragments bypass issue in the conntracking code. The patch has been merged into the stable tree already. Please ACK. commit 868f0120e0f93d070ea7f3e969c09dbab8ad7bc7 Author: Patrick McHardy <kaber> nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED [NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED The individual fragments of a packet reassembled by conntrack have the conntrack reference from the reassembled packet attached, but nfctinfo is not copied. This leaves it initialized to 0, which unfortunately is the value of IP_CT_ESTABLISHED. The result is that all IPv6 fragments are tracked as ESTABLISHED, allowing them to bypass a usual ruleset which accepts ESTABLISHED packets early. Signed-off-by: Patrick McHardy <kaber> Signed-off-by: Greg Kroah-Hartman <gregkh> Index: linux-2.6.18.noarch/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c =============================================================== ==== --- linux-2.6.18.noarch.orig/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c 2006-09-20 05:42:06.000000000 +0200 +++ linux-2.6.18.noarch/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c 2007-05-02 22:26:11.000000000 +0200 @@ -264,6 +264,7 @@ static unsigned int ipv6_conntrack_in(un } nf_conntrack_get(reasm->nfct); (*pskb)->nfct = reasm->nfct; + (*pskb)->nfctinfo = reasm->nfctinfo; return NF_ACCEPT; } ----- Perhaps Thomas can confirm if this is indeed a complete fix for the described problem, but please also try out the latest beta kernels and report back with testing results. http://people.redhat.com/dzickus/el5/
Are you sure that such minor patch enables IPv6 connection tracking in kernel series 2.6.18? I wouldn't believe this and would assume, that the whole change in connection tracking code made between 2.6.18 and 2.6.20 (switch to xtables) is necessary to support this. See here on RHEL5: # ls /lib/modules/2.6.18-8.1.8.el5/kernel/net/ipv6/netfilter/ ip6_queue.ko ip6_tables.ko ip6t_frag.ko ip6t_ipv6header.ko ip6t_rt.ko ip6table_filter.ko ip6t_ah.ko ip6t_hbh.ko ip6t_LOG.ko ip6table_mangle.ko ip6t_dst.ko ip6t_hl.ko ip6t_owner.ko ip6table_raw.ko ip6t_eui64.ko ip6t_HL.ko ip6t_REJECT.ko And compare this with F7: $ ls /lib/modules/2.6.22.4-65.fc7/kernel/net/ipv6/netfilter/ ip6_queue.ko ip6t_ah.ko ip6t_HL.ko ip6t_REJECT.ko ip6table_filter.ko ip6t_eui64.ko ip6t_ipv6header.ko ip6t_rt.ko ip6table_mangle.ko ip6t_frag.ko ip6t_LOG.ko nf_conntrack_ipv6.ko ip6table_raw.ko ip6t_hbh.ko ip6t_mh.ko ip6_tables.ko ip6t_hl.ko ip6t_owner.ko At least the module nf_conntrack_ipv6 is missing. A short test shows, while you can specify -m state --state ESTABLISHED in ip6tables, this won't work in 2.6.18. Test for yourself with following policy: # ip6tables -vnL Chain INPUT (policy ACCEPT 5 packets, 584 bytes) pkts bytes target prot opt in out source destination 16 1792 ACCEPT icmpv6 * * ::/0 ::/0 0 0 ACCEPT all * * ::/0 ::/0 state RELATED 0 0 ACCEPT all * * ::/0 ::/0 state ESTABLISHED 10 10062 ACCEPT tcp * * ::/0 ::/0 tcp spt:80 25 2304 LOG all * * ::/0 ::/0 LOG flags 0 level 4 25 2304 DROP all * * ::/0 ::/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 57 packets, 4620 bytes) pkts bytes target prot opt in out source destination # ip6tables -vnL Try to connect to an IPv6 only web server, e.g. www.ipv6.bieringer.de on port 80. You will see that the connection tracking rules will not match.
I haven't a clue if it was a complete fix, that's why I'm assigning the bug over to Thomas. :)
I just asked Patrick McHardy sitting right next to me. Full connection tracking for IPv6 has been merged in 2.6.15 but you have to use nfconntrack.
Hmmm, I did not found an option in current RHEL5 kernel source to enable connection tracking for IPv6 (for IPv4 it exists). Also as tests shown in https://bugzilla.redhat.com/show_bug.cgi?id=232933#c2, IPv6 connection tracking is not working. Afair, connection tracking for IPv6 was planned for 2.6.15 (perhaps some pieces of code were alreay put in), but support was delayed until xtables were introduced in 2.6.20, where it is known to work. So my status is that 2.6.18 without a backport of the 2.6.20 xtables will still miss a working IPv6 connection tracking.
Sorry for the delay. I checked again and IPv6 conntracking is included in RHEL5 but not enabled in the config because the feature is still experimental. Unfortunately, backporting xtables is not possible as such a patch would include countless kABI violations. A workaround would be to compile a new kernel on your own and enable NF_CONNTRACK_IPV6 at your own risk.
*** Bug 577419 has been marked as a duplicate of this bug. ***
Connection tracking has been completely removed now? ~ # ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT ip6tables v1.3.5: Couldn't load match `conntrack':/lib64/iptables/libip6t_conntrack.so: cannot open shared object file: No such file or directory Try `ip6tables -h' or 'ip6tables --help' for more information.