Bug 806017 - conntrack thinks that ICMPv6 Echo reply to ICMPv6 Echo request sent to IPv6 multicast address is INVALID
conntrack thinks that ICMPv6 Echo reply to ICMPv6 Echo request sent to IPv6 m...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
17
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-22 13:15 EDT by Jiri Popelka
Modified: 2014-12-03 09:30 EST (History)
8 users (show)

See Also:
Fixed In Version: firewalld-0.2.5-1.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-24 00:26:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Packet dump from machine A where you can see step (3) and (4). (742 bytes, application/octet-stream)
2012-03-22 13:16 EDT, Jiri Popelka
no flags Details

  None (edit)
Description Jiri Popelka 2012-03-22 13:15:31 EDT
1) I have two virtual machines with interfaces on the same link:
A) fe80::5054:ff:fe09:e0b9/64
B) fe80::5054:ff:fe80:d951/64

2) I set up IPv6 packet filter on A with ip6tables:
# ip6tables -F
# ip6tables -A INPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp6-adm-prohibited
# ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
# ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited

3) ping6 B from A:
# ping6 -I eth2 fe80::5054:ff:fe80:d951
PING fe80::5054:ff:fe80:d951(fe80::5054:ff:fe80:d951) from fe80::5054:ff:fe09:e0b9 eth2: 56 data bytes
64 bytes from fe80::5054:ff:fe80:d951: icmp_seq=1 ttl=64 time=0.265 ms
<OK>

4) ping6 'all nodes' from A:
# ping6 -I eth2 ff02::1
PING ff02::1(ff02::1) from fe80::5054:ff:fe09:e0b9 eth2: 56 data bytes
<reply is rejected>

5) remove the first line from ip6tables
# ip6tables -D INPUT 1

6 ping6 'all nodes' from A:
# ping6 -I eth2 ff02::1
PING ff02::1(ff02::1) from fe80::5054:ff:fe09:e0b9 eth2: 56 data bytes
64 bytes from fe80::5054:ff:fe09:e0b9: icmp_seq=1 ttl=64 time=0.072 ms
64 bytes from fe80::5054:ff:fe80:d951: icmp_seq=1 ttl=64 time=0.318 ms (DUP!)
<OK>
Comment 1 Jiri Popelka 2012-03-22 13:16:36 EDT
Created attachment 572041 [details]
Packet dump from machine A where you can see step (3) and (4).
Comment 2 Jiri Popelka 2012-03-22 13:18:10 EDT
The packet dump is from machine B.
Comment 3 Dave Jones 2012-03-22 17:18:15 EDT
can you post this to netdev@vger.kernel.org ? Interacting directly with the networking maintainers is probably going to get this fixed a lot faster than me acting as middle-man.
Comment 4 Jiri Popelka 2012-03-23 14:05:53 EDT
I reported this to netfilter AT vger.kernel.org couple hours ago but still don't see it on http://www.spinics.net/lists/netfilter/.

Anyway we can close this as UPSTREAM I think.
Comment 5 Thomas Woerner 2012-03-26 13:53:17 EDT
Reopening against firewalld
Comment 6 Thomas Woerner 2012-03-26 13:53:46 EDT
Fixed upstream in commit:

commit f03c76eff658d65392905c357b4af694bbcad07a
Author: Thomas Woerner <twoerner@redhat.com>
Date:   Mon Mar 26 19:51:12 2012 +0200

    Removed conntrack --ctstate INVALID check from default ruleset, because it
    results in ICMP problems (RHBZ#806017).
    Added conntrack --ctstate NEW matches to all settings for zones.
    
    * src/firewall/core/fw_zone.py
    - added conntrack --ctstate NEW match
    * src/firewall/core/ipXtables.py
    - removed conntrack --ctstate INVALID check from default rules
Comment 7 Fedora Update System 2012-04-20 15:54:13 EDT
firewalld-0.2.5-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/firewalld-0.2.5-1.fc17
Comment 8 Fedora Update System 2012-04-21 17:04:02 EDT
Package firewalld-0.2.5-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.2.5-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6323/firewalld-0.2.5-1.fc17
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2012-04-24 00:26:01 EDT
firewalld-0.2.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Jiri Popelka 2014-12-03 09:30:57 EST
(In reply to Jiri Popelka from comment #4)
> I reported this to netfilter AT vger.kernel.org

For record:
http://marc.info/?l=netfilter&m=133252802204019&w=2

Note You need to log in before you can comment on or make changes to this bug.