Marius Tomaschewski changed bug 916956
What Removed Added
Assignee kernel-maintainers@forge.provo.novell.com meissner@suse.com

Comment # 12 on bug 916956 from
The problem is the time between SuSEfirewall2_init and SuSEfirewall2.
SuSEfirewall2_init does not permit the RAs (ipv6-icmptype 134)....

# systemctl start SuSEfirewall2_init
# ip6tables -L -nv
Chain INPUT (policy DROP 3 packets, 200 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0        
    0     0 ACCEPT     all      *      *       ::/0                 ::/0       
         ctstate ESTABLISHED
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0      
          ctstate RELATED
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0       
         udp dpt:546

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 2 packets, 144 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all      *      lo      ::/0                 ::/0        

Chain reject_func (0 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     tcp      *      *       ::/0                 ::/0       
         reject-with tcp-reset
    0     0 REJECT     udp      *      *       ::/0                 ::/0       
         reject-with icmp6-port-unreachable
    0     0 REJECT     all      *      *       ::/0                 ::/0       
         reject-with icmp6-addr-unreachable
    0     0 DROP       all      *      *       ::/0                 ::/0        
# systemctl start SuSEfirewall2
# ip6tables -L input_ext -nv
Chain input_ext (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0      
          ipv6-icmptype 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0      
          ipv6-icmptype 133
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0      
          ipv6-icmptype 134
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0      
          ipv6-icmptype 135
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0      
          ipv6-icmptype 136
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0      
          ipv6-icmptype 137
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0      
          ipv6-icmptype 130
    0     0 LOG        tcp      *      *       ::/0                 ::/0       
         limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level
4 prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
         tcp dpt:22
    0     0 LOG        tcp      *      *       ::/0                 ::/0       
         limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4
prefix "SFW2-INext-DROP-DEFLT "
    0     0 LOG        icmpv6    *      *       ::/0                 ::/0      
          limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
"SFW2-INext-DROP-DEFLT "
    0     0 LOG        udp      *      *       ::/0                 ::/0       
         limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix
"SFW2-INext-DROP-DEFLT "
    0     0 DROP       all      *      *       ::/0                 ::/0        


Marcus, idea how we can fix this? I'd permit icmpv6 in "init" state.


You are receiving this mail because: