Bug 295181 - ip6tables configures the wrong IPv6 REJECT packet types
ip6tables configures the wrong IPv6 REJECT packet types
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
8
All Linux
low Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
https://lists.netfilter.org/pipermail...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-18 13:35 EDT by Peter Riley
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-24 12:10:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Updates old ip6t_REJECT.h header in iptables package to newer one from kernel-headers package. (584 bytes, patch)
2007-09-18 13:35 EDT, Peter Riley
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 253014 None None None Never

  None (edit)
Description Peter Riley 2007-09-18 13:35:14 EDT
Hello!

I am cloning Bug #253014 (filed against RHEL5) for Fedora 8 Test2, which is 
also affected and where it will hopefully receive some attention.  This bug 
actually affects RHEL5 and all versions of Fedora since FC5.  The attached 
patch has already been applied last month in upstream svn by the netfilter 
team, but the bug still affects iptables-1.3.8 which F8 is releasing.

Basically there is an old, incompatible header file for the IPv6 REJECT target 
in iptables-1.3.8.
It causes this problem (among others) with ip6tables:

###############################################################################

# ip6tables -I INPUT 1 -i lo -p tcp --dport 22 -j REJECT --reject-with tcp-reset
# ip6tables -nxvL INPUT | head -3
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts    bytes target   prot opt in   out  source   destination
     0        0 REJECT   tcp      lo   *    ::/0     ::/0    tcp dpt:22 reject-
with tcp-reset

# ssh -6 ::1
ssh: connect to host ::1 port 22: Connection refused

# tcpdump -i lo -t -nn -s0 ip6  ### on separate xterm
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes IP6
 ::1.56371 > ::1.22: S 25897503:25897503(0) win 32752 <mss 
16376,sackOK,timestamp 3441643437 0,nop,wscale 7>
IP6 ::1 > ::1: ICMP6, destination unreachable, unreachable port, ::1 tcp port 
22, length 88

###############################################################################

So the ip6tables firewall is clearly configured to respond with **tcp-reset**, 
but the actual packet sent is as if it were **icmp6-port-unreachable**.  There 
are other inconsistencies as well.


This misbehavior can be traced to conflicting enumerations of constants in 
different header files from iptables vs the kernel-headers:


iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h
---------------------------------------------------------
  1:#ifndef _IP6T_REJECT_H
  2:	#define _IP6T_REJECT_H
  3:	
  4:	enum ip6t_reject_with {
  5:		IP6T_ICMP6_NO_ROUTE,
  6:		IP6T_ICMP6_ADM_PROHIBITED,
  7:		IP6T_ICMP6_ADDR_UNREACH,
  8:		IP6T_ICMP6_PORT_UNREACH,
  9:		IP6T_TCP_RESET
 10:	};
 11:	
 12:	struct ip6t_reject_info {
 13:		enum ip6t_reject_with with;      /* reject type */
 14:	};
 15:	
 16:	#endif /*_IP6T_REJECT_H*/



linux-2.6.18/include/linux/netfilter_ipv6/ip6t_REJECT.h
-------------------------------------------------------
  1:	#ifndef _IP6T_REJECT_H
  2:	#define _IP6T_REJECT_H
  3:	
  4:	enum ip6t_reject_with {
  5:		IP6T_ICMP6_NO_ROUTE,
  6:		IP6T_ICMP6_ADM_PROHIBITED,
  7:		IP6T_ICMP6_NOT_NEIGHBOUR,
  8:		IP6T_ICMP6_ADDR_UNREACH,
  9:		IP6T_ICMP6_PORT_UNREACH,
 10:		IP6T_ICMP6_ECHOREPLY,
 11:		IP6T_TCP_RESET
 12:	};
 13:	
 14:	struct ip6t_reject_info {
 15:		u_int32_t	with;	/* reject type */
 16:	};
 17:	
 18:	#endif /*_IP6T_REJECT_H*/


The attached patch merely updates the old ip6t_REJECT.h header file in the 
iptables package to the newer one from the kernel-headers package. I tested on 
RHEL5 that it does indeed fix this bug for me when building iptables under 
rpmbuild with the spec file that Red Hat/Fedora uses.  (The bug only appears 
when building the way Red Hat/Fedora do under rpmbuild with KERNEL_DIR=/usr.  
It doesn't appear when building against the actual kernel sources, as the 
netfilter docs direct.)


RHEL5 Bug #253014 has some more details:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253014

Netfilter upstream thread report and resolution is here:
https://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029077.html
https://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029122.html

Upstream svn:
http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/iptables/include/linux/
netfilter_ipv6/ip6t_REJECT.h?rev=7009&view=log


Best Regards!
Comment 1 Peter Riley 2007-09-18 13:35:14 EDT
Created attachment 198641 [details]
Updates old ip6t_REJECT.h header in iptables package to newer one from kernel-headers package.
Comment 2 Thomas Woerner 2007-09-24 12:10:58 EDT
Fixed in rawhide in package iptables-1.3.8-4 or newer.

Note You need to log in before you can comment on or make changes to this bug.