[Bug 1099698] New: firewalld puts icmp into ip6tables
http://bugzilla.suse.com/show_bug.cgi?id=1099698 Bug ID: 1099698 Summary: firewalld puts icmp into ip6tables Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: markos.chandras@suse.com Reporter: jslaby@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- When I enable icmp, I see icmp in both ipv4 and ipv6 iptables: 0 0 ACCEPT icmp * * ::/0 ::/0 ctstate NEW But icmp in ipv6 is called icmpv6. So it all does not work and the traffic is dropped:
[285010.162912] IN_drop_DROP: IN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=2a01:4240:2e27:ad85:aaaa:0000:0000:070f LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
And I see no way how to configure firewalld to add icmpv6 into ip6tables. I have to use a direct rule: firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 -j ACCEPT I would expect enabling icmp would enable icmpv6 in ip6tables, or at least icmpv6 would be another option of protocol to be added. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c1
--- Comment #1 from Markos Chandras
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c2
--- Comment #2 from Markos Chandras
Thank you for the report. Could you tell me how you enabled the 'icmp' rule in your firewall configuration?
For the record, in the default setup, the icmp rules seem correct in both ipv4 and ipv6 # ip6tables -L|grep icmp|grep ACCEPT|head -n1 ACCEPT ipv6-icmp anywhere anywhere # iptables -L|grep icmp|grep ACCEPT|head -n1 ACCEPT icmp -- anywhere anywhere -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c3
--- Comment #3 from Jiri Slaby
Thank you for the report. Could you tell me how you enabled the 'icmp' rule in your firewall configuration?
Using the UI (yast2 firewall): protocols -> add -> icmp (there is no option to add icmp). I am using "drop" as the default zone. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c4
--- Comment #4 from Jiri Slaby
Using the UI (yast2 firewall): protocols -> add -> icmp (there is no option to add icmp).
...to add icmpv6 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698
Markos Chandras
http://bugzilla.suse.com/show_bug.cgi?id=1099698
SMASH SMASH
http://bugzilla.suse.com/show_bug.cgi?id=1099698
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1099698
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c8
--- Comment #8 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c10
--- Comment #10 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c12
Jiri Slaby
6 624 ACCEPT icmpv6 * * ::/0 ::/0 ctstate NEW
The problem is that only few icmpv6 traffic is managed by conntrack. Hence, packets with the UNTRACKED state are dropped unless I add a custom rule '-p icmpv6 -j ACCEPT' (with no ctstate checking):
$ ip6tables -L -vn|grep icmpv6 26 1800 LOG icmpv6 * * ::/0 ::/0 ctstate UNTRACKED LOG flags 0 level 4 prefix "XXUNTR" 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate NEW LOG flags 0 level 4 prefix "XXNEW" 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate RELATED LOG flags 0 level 4 prefix "XXRELA" 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate ESTABLISHED LOG flags 0 level 4 prefix "XXESTE" 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "XXINVA" 6 624 ACCEPT icmpv6 * * ::/0 ::/0 ctstate NEW 195 13736 ACCEPT icmpv6 * * ::/0 ::/0
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c13
--- Comment #13 from Jiri Slaby
[213344.130774] XXUNTRIN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=fe80:0000:0000:0000:4748:4aeb:6d22:254d LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0 [213348.357176] XXUNTRIN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=2a01:4240:2e27:ad85:aaaa:0000:0000:070f LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0 [213349.137268] XXUNTRIN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=fe80:0000:0000:0000:4748:4aeb:6d22:254d LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c14
--- Comment #14 from Markos Chandras
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c15
--- Comment #15 from Jiri Slaby
But this is a different problem now right?
It depends, you can handle it in bug 1105821. Or here and mark the latter as a dup of this. As you want :). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c16
Markos Chandras
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c17
--- Comment #17 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1099698
http://bugzilla.suse.com/show_bug.cgi?id=1099698#c18
--- Comment #18 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1099698
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com