https://bugzilla.novell.com/show_bug.cgi?id=887850 https://bugzilla.novell.com/show_bug.cgi?id=887850#c0 Summary: susefirewall2 / ip6tables not configured properly to allow inbound dhcpv6 replies Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: i686 OS/Version: openSUSE 12.3 Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: abittner@abittner.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0 susefirewall2 / ip6tables not configured properly to allow inbound dhcpv6 replies having some dhcp-based inet provider (e.g. cable inet) that recently does ipv6 via dhcpv6 at certain locations only to find out that opensuse (susefirewall2) apparently simply doesnt care for dhcpv6 offer/reply packets and doesnt accept them, doesnt receive them, filters/drops them. was browsing around on the net on how other distros do this and if or when they solved these ipv6 things found redhat/fedora: <https://bugzilla.redhat.com/show_bug.cgi?id=591630> Bug 591630 - DHCPv6 responses are not allowed by default ip6tables ruleset <https://en.wikipedia.org/wiki/DHCPv6#Example> Experimenting a bit with opensuse 12.3/x86 and adding this line: ip6tables -I INPUT -m udp -p udp --dport 546 --sport 547 -s fe80::/64 -d fe80::/64 -j ACCEPT makes dhclient show at least proper ipv6 related outputs, or disabling susefirewall2 completely also achieves the same results. # ip6tables -I INPUT -m udp -p udp --dport 546 --sport 547 -s fe80::/64 -d fe80::/64 -j ACCEPT # dhclient -6 eth0 -v Internet Systems Consortium DHCP Client 4.2.5-P1 Copyright 2004-2013 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Bound to *:546 Listening on Socket/eth0 Sending on Socket/eth0 PRC: Soliciting for leases (INIT). XMT: Forming Solicit, 0 ms elapsed. XMT: X-- IA_NA 26:01:24:01 XMT: | X-- Request renew in +3600 XMT: | X-- Request rebind in +5400 XMT: Solicit on eth0, interval 1060ms. RCV: Advertise message on eth0 from fe80::1. RCV: X-- Server ID: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx message status code NoAddrsAvail: "No addresses available on Link 'cmts-1" PRC: Lease failed to satisfy. RCV: Advertise message on eth0 from fe80::1. RCV: X-- Server ID: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx message status code NoAddrsAvail: "No addresses available on Link 'cmts-1" PRC: Lease failed to satisfy. ^C If the rule is not present or deleted again then the output is as follows: # ip6tables -D INPUT -m udp -p udp --dport 546 --sport 547 -s fe80::/64 -d fe80::/64 -j ACCEPT # dhclient -6 eth0 -v Internet Systems Consortium DHCP Client 4.2.5-P1 Copyright 2004-2013 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Bound to *:546 Listening on Socket/eth0 Sending on Socket/eth0 PRC: Soliciting for leases (INIT). XMT: Forming Solicit, 0 ms elapsed. XMT: X-- IA_NA 26:01:24:01 XMT: | X-- Request renew in +3600 XMT: | X-- Request rebind in +5400 XMT: Solicit on eth0, interval 1010ms. XMT: Forming Solicit, 1010 ms elapsed. XMT: X-- IA_NA 26:01:24:01 XMT: | X-- Request renew in +3600 XMT: | X-- Request rebind in +5400 XMT: Solicit on eth0, interval 2010ms. ^C Please fix these elementary things about ipv6 with dhcpv6 replies. In contrast, having configured eth0 as ext device with susefirewall2/yast2 dhcpv4 works just fine on this ext=eth0 device, so why isnt dhcpv6 being treated the same way? thanks for fixing and enhancing this. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.