[Bug 1099698] New: firewalld puts icmp into ip6tables
http://bugzilla.suse.com/show_bug.cgi?id=1099698 Bug ID: 1099698 Summary: firewalld puts icmp into ip6tables Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: markos.chandras@suse.com Reporter: jslaby@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- When I enable icmp, I see icmp in both ipv4 and ipv6 iptables: 0 0 ACCEPT icmp * * ::/0 ::/0 ctstate NEW But icmp in ipv6 is called icmpv6. So it all does not work and the traffic is dropped:
[285010.162912] IN_drop_DROP: IN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=2a01:4240:2e27:ad85:aaaa:0000:0000:070f LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
And I see no way how to configure firewalld to add icmpv6 into ip6tables. I have to use a direct rule: firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 -j ACCEPT I would expect enabling icmp would enable icmpv6 in ip6tables, or at least icmpv6 would be another option of protocol to be added. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c1 --- Comment #1 from Markos Chandras <markos.chandras@suse.com> --- Thank you for the report. Could you tell me how you enabled the 'icmp' rule in your firewall configuration? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c2 --- Comment #2 from Markos Chandras <markos.chandras@suse.com> --- (In reply to Markos Chandras from comment #1)
Thank you for the report. Could you tell me how you enabled the 'icmp' rule in your firewall configuration?
For the record, in the default setup, the icmp rules seem correct in both ipv4 and ipv6 # ip6tables -L|grep icmp|grep ACCEPT|head -n1 ACCEPT ipv6-icmp anywhere anywhere # iptables -L|grep icmp|grep ACCEPT|head -n1 ACCEPT icmp -- anywhere anywhere -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c3 --- Comment #3 from Jiri Slaby <jslaby@suse.com> --- (In reply to Markos Chandras from comment #1)
Thank you for the report. Could you tell me how you enabled the 'icmp' rule in your firewall configuration?
Using the UI (yast2 firewall): protocols -> add -> icmp (there is no option to add icmp). I am using "drop" as the default zone. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c4 --- Comment #4 from Jiri Slaby <jslaby@suse.com> --- (In reply to Jiri Slaby from comment #3)
Using the UI (yast2 firewall): protocols -> add -> icmp (there is no option to add icmp).
...to add icmpv6 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 Markos Chandras <markos.chandras@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS URL| |https://github.com/firewall | |d/firewalld/pull/348 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| | maint:planned:update -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| maint:planned:update | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:8052:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c8 --- Comment #8 from Swamp Workflow Management <swamp@suse.de> --- This is an autogenerated message for OBS integration: This bug (1099698) was mentioned in https://build.opensuse.org/request/show/629070 Factory / firewalld -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c10 --- Comment #10 from Swamp Workflow Management <swamp@suse.de> --- This is an autogenerated message for OBS integration: This bug (1099698) was mentioned in https://build.opensuse.org/request/show/631960 Factory / firewalld -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c12 Jiri Slaby <jslaby@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #12 from Jiri Slaby <jslaby@suse.com> --- Now I have:
6 624 ACCEPT icmpv6 * * ::/0 ::/0 ctstate NEW
The problem is that only few icmpv6 traffic is managed by conntrack. Hence, packets with the UNTRACKED state are dropped unless I add a custom rule '-p icmpv6 -j ACCEPT' (with no ctstate checking):
$ ip6tables -L -vn|grep icmpv6 26 1800 LOG icmpv6 * * ::/0 ::/0 ctstate UNTRACKED LOG flags 0 level 4 prefix "XXUNTR" 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate NEW LOG flags 0 level 4 prefix "XXNEW" 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate RELATED LOG flags 0 level 4 prefix "XXRELA" 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate ESTABLISHED LOG flags 0 level 4 prefix "XXESTE" 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "XXINVA" 6 624 ACCEPT icmpv6 * * ::/0 ::/0 ctstate NEW 195 13736 ACCEPT icmpv6 * * ::/0 ::/0
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c13 --- Comment #13 from Jiri Slaby <jslaby@suse.com> --- Example of UNTRACKED traffic logged in the previous:
[213344.130774] XXUNTRIN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=fe80:0000:0000:0000:4748:4aeb:6d22:254d LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0 [213348.357176] XXUNTRIN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=2a01:4240:2e27:ad85:aaaa:0000:0000:070f LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0 [213349.137268] XXUNTRIN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=fe80:0000:0000:0000:4748:4aeb:6d22:254d LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c14 --- Comment #14 from Markos Chandras <markos.chandras@suse.com> --- But this is a different problem now right? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c15 --- Comment #15 from Jiri Slaby <jslaby@suse.com> --- (In reply to Markos Chandras from comment #14)
But this is a different problem now right?
It depends, you can handle it in bug 1105821. Or here and mark the latter as a dup of this. As you want :). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c16 Markos Chandras <markos.chandras@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED --- Comment #16 from Markos Chandras <markos.chandras@suse.com> --- OK lets close this one because this was about adding icmpv4 to ip6tables and firewalld did not offer anything for icmpv6 at the time. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c17 --- Comment #17 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2018:2675-1: An update that has 5 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1096542,1098986,1099698,1105157,1105170 CVE References: Sources used: SUSE Linux Enterprise Module for Desktop Applications 15 (src): firewalld-0.5.4-4.7.1 SUSE Linux Enterprise Module for Basesystem 15 (src): firewalld-0.5.4-4.7.1, susefirewall2-to-firewalld-0.0.3-3.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 http://bugzilla.suse.com/show_bug.cgi?id=1099698#c18 --- Comment #18 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2018:2711-1: An update that has 5 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1096542,1098986,1099698,1105157,1105170 CVE References: Sources used: openSUSE Leap 15.0 (src): firewalld-0.5.4-lp150.2.6.1, susefirewall2-to-firewalld-0.0.3-lp150.2.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:8052:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com