[Bug 715169] New: redundant ipv6-related iptables rules generated by SuSEfirewall2 in debug mode
https://bugzilla.novell.com/show_bug.cgi?id=715169 https://bugzilla.novell.com/show_bug.cgi?id=715169#c0 Summary: redundant ipv6-related iptables rules generated by SuSEfirewall2 in debug mode Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: All OS/Version: openSUSE 11.4 Status: NEW Severity: Minor Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: avn@avnsite.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20 ( .NET CLR 3.5.30729; .NET4.0E) Possible workaround: --- SuSEfirewall2 2011-08-31 11:06:20.420001302 +0400 +++ SuSEfirewall2 2011-08-31 11:12:44.604001319 +0400 @@ -310,7 +310,7 @@ IP6TABLES="ip6tables" ip6tables() { - echo ip6tables "$@" + [ "$IP6TABLES" != ":" ] && echo ip6tables "$@" } TC="tc" tc() @@ -321,6 +321,12 @@ { echo modprobe "$@" } + ### ipv6 checks + case "$FW_IPv6" in + drop|reject) IP6TABLES_HAVE_STATE=0 ;; + no) IP6TABLES=":" ;; + *) FW_IPv6="" ;; + esac else IPTABLES="$IPTABLES_BIN" IP6TABLES="$IP6TABLES_BIN" Reproducible: Always Steps to Reproduce: 1. Set FW_IPv6="no" in /etc/sysconfig/SuSEfirewall2 2. Run /sbin/SuSEfirewall2 debug Actual Results: # ./SuSEfirewall2 debug | grep v6 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: Firewall customary rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom ip6tables -A INPUT -j ACCEPT -p icmpv6 -m conntrack --ctstate RELATED ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type echo-request ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type echo-request ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-solicitation ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type router-solicitation ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-advertisement ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type router-advertisement ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type neighbour-solicitation ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type neighbour-solicitation ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type neighbour-advertisement ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type neighbour-advertisement ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type redirect ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type redirect ip6tables -A OUTPUT -j ACCEPT -p icmpv6 ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate NEW -p icmpv6 --icmpv6-type echo-request -o eth1 ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED -p icmpv6 --icmpv6-type echo-reply ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem ip6tables -A input_ext -m limit --limit 3/minute -j LOG --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p icmpv6 ip6tables -A input_bridge -m limit --limit 3/minute -j LOG --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INbridge-DROP-DEFLT -p icmpv6 ip6tables -A forward_int -m limit --limit 3/minute -j LOG --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p icmpv6 ip6tables -A forward_ext -m limit --limit 3/minute -j LOG --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p icmpv6 SuSEfirewall2: Firewall rules successfully set Expected Results: no ipv6-related rules /sbin/SuSEfirewall2 also generates redundant rules for many cases. Probably we need to introduce at least two new parameters in /etc/sysconfig/SuSEfirewall2. For example: FW_TRUSTED_ZONES="int" # default value FW_MASQ_ZONES="int ext" # default value Purpose is obvious. This is important for Snort-related installations especially. The second one has a simple workaround using /etc/sysconfig/scripts/SuSEfirewall2-custom : fw_custom_after_chain_creation() { forward_zones="int ext" } -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=715169
https://bugzilla.novell.com/show_bug.cgi?id=715169#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=715169
https://bugzilla.novell.com/show_bug.cgi?id=715169#c
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=715169
https://bugzilla.novell.com/show_bug.cgi?id=715169#c1
Ludwig Nussel
participants (1)
-
bugzilla_noreply@novell.com