New subject: [Bug 767392] Firewall should accept IPv6 MLD Queries (ICMP Type 130) by default in external zone

17 Jun 2012

      https://bugzilla.novell.com/show_bug.cgi?id=767392

https://bugzilla.novell.com/show_bug.cgi?id=767392#c0

           Summary: Firewall should accept IPv6 MLD Queries (ICMP Type
                    130) by default in external zone
    Classification: openSUSE
           Product: openSUSE 12.1
           Version: Final
          Platform: Other
        OS/Version: openSUSE 12.1
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: Basesystem
        AssignedTo: bnc-team-screening@forge.provo.novell.com
        ReportedBy: hg_peters@hotmail.com
         QAContact: qa-bugs@suse.de
          Found By: ---
           Blocker: ---

User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101
Firefox/13.0.1

On a machine with IPv6 address on an external interface neighbor discovery and
thus basic connectivity breaks if it is attached to a switch with MLD snooping.

After bringing the interface up it sends out a MLD membership report for its
neighbor discovery. The switch sees this and adds the the corresponding
multicast destination to its port. For some time everything works. But a little
later the switch times out and removes the multicast destination from its port.
Now neighbor discovery is broken.

The timeout should be prevented by the multicast router (or the mld querier).
They send periodcally MLD queries to all IPv6 nodes asking for all multicast
group memberships. All nodes are expected to answer with membership reports.

SuSEfirewall2 drops these queries. So the machine doesn't answer with
membership reports and the switch times ot. The MLD queries show up as denied
in the firewall log.

The firewall should accept MLD Queries (ICMP Type 130, Code 0) just like ICMP
echo requests. It might be possible to restrict this to link-local senders
and/or multicast destinations.

This custom rule worked for me:

fw_custom_after_chain_creation() {
    ip6tables -A input_ext -j ACCEPT -p ipv6-icmp --icmpv6-type 130/0
    true
}

Reproducible: Always

Steps to Reproduce:
1. Enable IPv6 and Firewall
2. Put IPv6 interface in external zone and attach to MLD snoopinf switch
3. wait s couple of minutes
4. Try to ping the machine from outside

Actual Results:  
MLD Queries get dropped by firewall. Neighbor discovery fails. The ND-ICMP
packets get dropped by switch.

Expected Results:  
Machine should have answered the MLD queries. ND would have worked.

I've seen this broken behavior on 12.1 and 11.4.

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug 767392] New: Firewall should accept IPv6 MLD Queries (ICMP Type 130) by default in external zone

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

tags

participants (1)