http://bugzilla.opensuse.org/show_bug.cgi?id=916956
Marius Tomaschewski changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|kernel-maintainers@forge.pr |meissner@suse.com
|ovo.novell.com |
--- Comment #12 from Marius Tomaschewski ---
The problem is the time between SuSEfirewall2_init and SuSEfirewall2.
SuSEfirewall2_init does not permit the RAs (ipv6-icmptype 134)....
# systemctl start SuSEfirewall2_init
# ip6tables -L -nv
Chain INPUT (policy DROP 3 packets, 200 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all lo * ::/0 ::/0
0 0 ACCEPT all * * ::/0 ::/0
ctstate ESTABLISHED
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ctstate RELATED
0 0 ACCEPT udp * * ::/0 ::/0
udp dpt:546
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 144 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * lo ::/0 ::/0
Chain reject_func (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp * * ::/0 ::/0
reject-with tcp-reset
0 0 REJECT udp * * ::/0 ::/0
reject-with icmp6-port-unreachable
0 0 REJECT all * * ::/0 ::/0
reject-with icmp6-addr-unreachable
0 0 DROP all * * ::/0 ::/0
# systemctl start SuSEfirewall2
# ip6tables -L input_ext -nv
Chain input_ext (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 133
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 134
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 135
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 136
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 137
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 130
0 0 LOG tcp * * ::/0 ::/0
limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level
4 prefix "SFW2-INext-ACC-TCP "
0 0 ACCEPT tcp * * ::/0 ::/0
tcp dpt:22
0 0 LOG tcp * * ::/0 ::/0
limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4
prefix "SFW2-INext-DROP-DEFLT "
0 0 LOG icmpv6 * * ::/0 ::/0
limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
"SFW2-INext-DROP-DEFLT "
0 0 LOG udp * * ::/0 ::/0
limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix
"SFW2-INext-DROP-DEFLT "
0 0 DROP all * * ::/0 ::/0
Marcus, idea how we can fix this? I'd permit icmpv6 in "init" state.
--
You are receiving this mail because:
You are on the CC list for the bug.