Bug 244729 - ipv6 connection tracking is not used (but available) by lokkit
ipv6 connection tracking is not used (but available) by lokkit
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
7
All Linux
low Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-18 15:38 EDT by Peter Bieringer
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.7.0-5.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-02 22:42:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Peter Bieringer 2007-06-18 15:38:08 EDT
Description of problem:
While iptables load implicitly the IPv4 connection tracking (reason:
IPTABLES_MODULES="ip_conntrack_netbios_ns" in /etc/sysconfig/iptables-config),
ip6tables has no extra connection tracking modules configured and therefore, the
connection tracking (available since 2.6.21) isn't used. That's bad and can be
easily fixed.

Version-Release number of selected component (if applicable):
iptables-ipv6-1.3.7-2

How reproducible:
Always

Steps to Reproduce:
1. let system-config-firewall create the default ruleset
2. start ip6tables
  
Actual results:
No IPv6 connection tracking module is loaded.

Expected results:
IPv6 connection tracking module is loaded.

Additional info:

Easy workaround:

Put IPv6 connection tracking module into module load list:
File: /etc/sysconfig/ip6tables-config
- IP6TABLES_MODULES=""
+ IP6TABLES_MODULES="nf_conntrack_ipv6"

This can be backported to FC6 with kernel >= 2.6.21 as requirement

BTW: one should also fix lokkit to produce a proper ruleset at least for 
F7, e.g. following one:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

With this change, the IPv6 connection tracking module is loaded automatically now.

See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214117
Comment 1 Peter Bieringer 2007-07-16 05:46:41 EDT
"lokkit" in system-config-securitylevel is generating the improper ruleset.
Comment 2 Thomas Woerner 2007-08-02 05:21:35 EDT
There is no need to load the nf_conntrack_ipv6 module by hand it is done
automatically as soon as the functionality is used.

There will be a new version of system-config-securitylevel which is generating
proper ipv6 firewall rules.
Comment 3 Fedora Update System 2007-08-02 22:42:00 EDT
system-config-securitylevel-1.7.0-5.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.