Bug 552099 - system-config-firewall has no simple mechanism to enable IPv6 DHCPv6 client
system-config-firewall has no simple mechanism to enable IPv6 DHCPv6 client
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: system-config-firewall (Show other bugs)
14
All Linux
low Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-03 21:13 EST by Frank Crawford
Modified: 2013-01-13 08:39 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-16 17:15:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frank Crawford 2010-01-03 21:13:00 EST
Description of problem:
If IPv6 DHCPv6 client is enabled on a system with ip6tables configured via system-config-firewall, the necessary ports are blocked and there is no easy mechanism to open them.  Unlike DHCP for IPv4, DHCP for IPv6 uses normal UDP traffic over standard ports (546/udp).

Version-Release number of selected component (if applicable):
system-config-firewall-1.2.21-1.fc12.noarch
iptables-ipv6-1.4.5-1.fc12.i686
dhclient-4.1.0p1-13.fc12.i686

How reproducible:
100%

Steps to Reproduce:
1. Setup IPv6 IPTables (ip6tables) via system-config-firewall as a default workstation.
2. Start dhclient -6 -v
3. Optionally run tcpdump ip6 to observer traffic
  
Actual results:
dhclient sends requests, and responses are sent by the DHCPv6 server, but no responses are received.

Expected results:
dhclient should receive a valid DHCPv6 response either as an address or other information.

Additional info:
If the IPv6 tables rules are flushed and the policy is to accept all traffic, it works fine, similarly if the following rule is manually added into the system:
-A RH-Firewall-1-INPUT -p udp -m udp --sport 547 --dport 546 -d fe80::/10 -j ACC
EPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 547 --dport 546 -d fe80::/10 -j ACC
EPT 
it also works (note, I'm not sure they are the best rules, they just work).
Comment 1 Bug Zapper 2010-11-03 21:55:31 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Frank Crawford 2010-11-21 05:10:01 EST
Still can't see anyway in the Fedora 14 to setup the firewall with system-config-firewall to accept DHCPv6 data.
Comment 3 Pavel Šimerda (pavlix) 2011-06-09 12:33:08 EDT
I'm using Fedora 15 and I have just tested it at a conference Internet and Technology 2011 in Prague (starting at IPv6 day, BTW).

They had an experimental network with RA, stateless autoconfiguration of addresses, but DHCPv6 configuration of DNS.

The DNS part failed with NetworkManager (IPv6 set to Automatic, IPv4 set to Disabled). NetworkManager called dhclient, dhclient sent DHCPv6 Information Request and tcpdump showed the host got DHCPv6 reply from the server.

But dhclient asked again and again, until it gives up.
Comment 4 Queria Sa-Tas 2011-09-27 06:42:25 EDT
I run into this after clean (my first) installation of Fedora (15, XFCE).
After installation and setup of apache (which i enabled in firewall in xfce main menu - administration - firewall) i moved to setup dhclient for ipv6.

I have RA+DHCPv6 on my router.
I tried NM applet in xfce to enable ipv6 but no luck.
So i switched to console and i got to the same point as mentioned in this bug.

Evidence:
- Router is :f859 bellow
- Host with F15 is :41d8

dhclient -d -6 wlan0 at fedora tries to solicit ipv6 with "no answer from router"
--------------------------------------------------------------------------
# dhclient -d -6 wlan0
Internet Systems Consortium DHCP Client 4.2.1-P1
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Bound to *:546
Listening on Socket/wlan0
Sending on   Socket/wlan0
PRC: Soliciting for leases (INIT).
XMT: Forming Solicit, 0 ms elapsed.
XMT:  X-- IA_NA a5:a9:41:d8
XMT:  | X-- Request renew in  +3600
XMT:  | X-- Request rebind in +5400
XMT: Solicit on wlan0, interval 1080ms.
XMT: Forming Solicit, 1080 ms elapsed.
XMT:  X-- IA_NA a5:a9:41:d8
XMT:  | X-- Request renew in  +3600
XMT:  | X-- Request rebind in +5400
XMT: Solicit on wlan0, interval 2170ms.
... and so on
--------------------------------------------------------------------------

tcpdump on router revealed this (foreign packets removed):
--------------------------------------------------------------------------
12:12:04.547901 IP6 fe80::214:a5ff:fea9:41d8 > fe80::200:21ff:fe5c:f859: ICMP6, neighbor solicitation, who has fe80::200:21ff:fe5c:f859, length 32
12:12:04.547918 IP6 fe80::200:21ff:fe5c:f859 > fe80::214:a5ff:fea9:41d8: ICMP6, neighbor advertisement, tgt is fe80::200:21ff:fe5c:f859, length 24
12:12:05.442119 IP6 fe80::214:a5ff:fea9:41d8 > fe80::200:21ff:fe5c:f859: ICMP6, destination unreachable,  unreachable prohibited fe80::214:a5ff:fea9:41d8, length 140
12:12:06.523644 IP6 fe80::214:a5ff:fea9:41d8 > fe80::200:21ff:fe5c:f859: ICMP6, destination unreachable,  unreachable prohibited fe80::214:a5ff:fea9:41d8, length 140
12:12:07.487287 IP6 fe80::200:21ff:fe5c:f859 > ff02::1:ff4e:d277: ICMP6, neighbor solicitation, who has fe80::222:fcff:fe4e:d277, length 32
12:12:07.536033 IP6 fe80::222:fcff:fe4e:d277 > fe80::200:21ff:fe5c:f859: ICMP6, neighbor advertisement, tgt is fe80::222:fcff:fe4e:d277, length 32
12:12:08.695056 IP6 fe80::214:a5ff:fea9:41d8 > fe80::200:21ff:fe5c:f859: ICMP6, destination unreachable,  unreachable prohibited fe80::214:a5ff:fea9:41d8, length 140
12:12:08.959189 IP6 fe80::200:21ff:fe5c:f859 > ff02::1: ICMP6, router advertisement, length 56
--------------------------------------------------------------------------

and finally ip6tables on fedora client shows:
--------------------------------------------------------------------------
# ip6tables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all      *      *       ::/0                 ::/0                state RELATED,ESTABLISHED 
2      231 22120 ACCEPT     icmpv6    *      *       ::/0                 ::/0                
3        0     0 ACCEPT     all      lo     *       ::/0                 ::/0                
4        0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:22 
5        0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:80 
6        5   660 REJECT     all      *      *       ::/0                 ::/0                reject-with icmp6-adm-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all      *      *       ::/0                 ::/0                reject-with icmp6-adm-prohibited 

Chain OUTPUT (policy ACCEPT 12 packets, 1544 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
--------------------------------------------------------------------------

So i think there should be default rule allowing dhcp configuration of ipv6 or at least optional way to enable it using firewall gui(...) tools?
Maybe (if it is possible) such rule should be enabled if NM is configured to use ipv6 (from dhcp).
Or at least it should be mentioned anywhere/somewhere else then just in this bugreport.
Comment 5 Pavel Šimerda (pavlix) 2011-12-23 18:29:15 EST
Related: bug 591630
Comment 6 Fedora End Of Life 2012-08-16 17:15:44 EDT
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.