Hello! I am cloning Bug #253014 (filed against RHEL5) for Fedora 8 Test2, which is also affected and where it will hopefully receive some attention. This bug actually affects RHEL5 and all versions of Fedora since FC5. The attached patch has already been applied last month in upstream svn by the netfilter team, but the bug still affects iptables-1.3.8 which F8 is releasing. Basically there is an old, incompatible header file for the IPv6 REJECT target in iptables-1.3.8. It causes this problem (among others) with ip6tables: ############################################################################### # ip6tables -I INPUT 1 -i lo -p tcp --dport 22 -j REJECT --reject-with tcp-reset # ip6tables -nxvL INPUT | head -3 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT tcp lo * ::/0 ::/0 tcp dpt:22 reject- with tcp-reset # ssh -6 ::1 ssh: connect to host ::1 port 22: Connection refused # tcpdump -i lo -t -nn -s0 ip6 ### on separate xterm listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes IP6 ::1.56371 > ::1.22: S 25897503:25897503(0) win 32752 <mss 16376,sackOK,timestamp 3441643437 0,nop,wscale 7> IP6 ::1 > ::1: ICMP6, destination unreachable, unreachable port, ::1 tcp port 22, length 88 ############################################################################### So the ip6tables firewall is clearly configured to respond with **tcp-reset**, but the actual packet sent is as if it were **icmp6-port-unreachable**. There are other inconsistencies as well. This misbehavior can be traced to conflicting enumerations of constants in different header files from iptables vs the kernel-headers: iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h --------------------------------------------------------- 1:#ifndef _IP6T_REJECT_H 2: #define _IP6T_REJECT_H 3: 4: enum ip6t_reject_with { 5: IP6T_ICMP6_NO_ROUTE, 6: IP6T_ICMP6_ADM_PROHIBITED, 7: IP6T_ICMP6_ADDR_UNREACH, 8: IP6T_ICMP6_PORT_UNREACH, 9: IP6T_TCP_RESET 10: }; 11: 12: struct ip6t_reject_info { 13: enum ip6t_reject_with with; /* reject type */ 14: }; 15: 16: #endif /*_IP6T_REJECT_H*/ linux-2.6.18/include/linux/netfilter_ipv6/ip6t_REJECT.h ------------------------------------------------------- 1: #ifndef _IP6T_REJECT_H 2: #define _IP6T_REJECT_H 3: 4: enum ip6t_reject_with { 5: IP6T_ICMP6_NO_ROUTE, 6: IP6T_ICMP6_ADM_PROHIBITED, 7: IP6T_ICMP6_NOT_NEIGHBOUR, 8: IP6T_ICMP6_ADDR_UNREACH, 9: IP6T_ICMP6_PORT_UNREACH, 10: IP6T_ICMP6_ECHOREPLY, 11: IP6T_TCP_RESET 12: }; 13: 14: struct ip6t_reject_info { 15: u_int32_t with; /* reject type */ 16: }; 17: 18: #endif /*_IP6T_REJECT_H*/ The attached patch merely updates the old ip6t_REJECT.h header file in the iptables package to the newer one from the kernel-headers package. I tested on RHEL5 that it does indeed fix this bug for me when building iptables under rpmbuild with the spec file that Red Hat/Fedora uses. (The bug only appears when building the way Red Hat/Fedora do under rpmbuild with KERNEL_DIR=/usr. It doesn't appear when building against the actual kernel sources, as the netfilter docs direct.) RHEL5 Bug #253014 has some more details: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253014 Netfilter upstream thread report and resolution is here: https://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029077.html https://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029122.html Upstream svn: http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/iptables/include/linux/ netfilter_ipv6/ip6t_REJECT.h?rev=7009&view=log Best Regards!
Created attachment 198641 [details] Updates old ip6t_REJECT.h header in iptables package to newer one from kernel-headers package.
Fixed in rawhide in package iptables-1.3.8-4 or newer.