What | Removed | Added |
---|---|---|
Assignee | kernel-maintainers@forge.provo.novell.com | meissner@suse.com |
The problem is the time between SuSEfirewall2_init and SuSEfirewall2. SuSEfirewall2_init does not permit the RAs (ipv6-icmptype 134).... # systemctl start SuSEfirewall2_init # ip6tables -L -nv Chain INPUT (policy DROP 3 packets, 200 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all lo * ::/0 ::/0 0 0 ACCEPT all * * ::/0 ::/0 ctstate ESTABLISHED 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ctstate RELATED 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:546 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 144 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all * lo ::/0 ::/0 Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp * * ::/0 ::/0 reject-with tcp-reset 0 0 REJECT udp * * ::/0 ::/0 reject-with icmp6-port-unreachable 0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-addr-unreachable 0 0 DROP all * * ::/0 ::/0 # systemctl start SuSEfirewall2 # ip6tables -L input_ext -nv Chain input_ext (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 137 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 130 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP " 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT " 0 0 LOG icmpv6 * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT " 0 0 LOG udp * * ::/0 ::/0 limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT " 0 0 DROP all * * ::/0 ::/0 Marcus, idea how we can fix this? I'd permit icmpv6 in "init" state.