[Bug 679192] New: SuSEfirewall FORWARD chain bug, no reverse RELATED,ESTABLISHED but a double FORWARD
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c0 Summary: SuSEfirewall FORWARD chain bug, no reverse RELATED,ESTABLISHED but a double FORWARD Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86 OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: arjennw@zeilers.net QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=419006) --> (http://bugzilla.novell.com/attachment.cgi?id=419006) pathc which adds the correctline to /sbin/SuSEfirewall2 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b12) Gecko/20110222 Firefox/4.0b12 The SuSEfirewall does not produce the reverse ESTABLISHED,RELATED rule for network forwards Reproducible: Always Steps to Reproduce: 1. Set FW_FORWARD="2001:xx:yy::/48,0/0" in /etc/sysconfig/SuSEfirewall2 2. # /sbin/SuSEfirewall2 debug | grep ESTABLISHED | grep 2001 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth1 SuSEfirewall2: Firewall rules successfully set ip6tables -A forward_int -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_int -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED ip6tables -A forward_ext -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_ext -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED 3. It is the same for IPv4 Actual Results: I am not able to establish a connection, since the ACK SYN reply is dropped. Expected Results: # ./SuSEfirewall2.mine debug | grep ESTABLISHED | grep 2001 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth1 SuSEfirewall2: Firewall rules successfully set ip6tables -A forward_int -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_int -s 0/0 -d 2001:xx:yy::/48 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED ip6tables -A forward_ext -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_ext -s 0/0 -d 2001:xx:yy::/48 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED I have tested this and it works for me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |lnussel@novell.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c1 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2011-03-14 16:40:31 CET --- regression probably caused due to introduction of the new zonein and zoneout parameters. Maybe adding them as workaround helps to get things working again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c2 --- Comment #2 from Arjen Runsink <arjennw@zeilers.net> 2011-03-19 14:18:35 UTC --- (In reply to comment #1)
regression probably caused due to introduction of the new zonein and zoneout parameters. Maybe adding them as workaround helps to get things working again.
I have tried the suggested workaround. 1st test suggests that only the ESTABLISHED,RELATED rule is added. But I am not able to verify that anymore. At the moment _no_ forward rule is generated for when I use the following parameter: FW_FORWARD="2001:xx:yy::/48,0/0,,,zonein=INT,zoneout=EXT" That is the right format, isn't it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c3 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |maintenance@opensuse.org --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2011-04-06 09:17:12 CEST --- fixed in git: http://gitorious.org/opensuse/susefirewall2/blobs/raw/master/SuSEfirewall2 maintenance: this is a regression, we should provide an update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c4 --- Comment #4 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-04-06 10:01:13 CEST --- This bug (679192) was mentioned in https://build.opensuse.org/request/show/66188 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c5 --- Comment #5 from Marcus Meissner <meissner@novell.com> 2011-04-06 12:13:57 UTC --- fine for me +1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c6 Christian Dengler <cdengler@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED CC| |cdengler@novell.com InfoProvider|maintenance@opensuse.org | --- Comment #6 from Christian Dengler <cdengler@novell.com> 2011-04-06 18:20:39 UTC --- +1, starting update -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c7 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:40002:moderat | |e --- Comment #7 from Swamp Workflow Management <swamp@suse.com> 2011-04-06 18:21:11 UTC --- The SWAMPID for this issue is 40002. This issue was rated as moderate. Please submit fixed packages until 2011-04-20. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/40002 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c8 Christian Dengler <cdengler@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #8 from Christian Dengler <cdengler@novell.com> 2011-04-08 15:07:23 UTC --- Patchinfo provided. Update will be available shortly in the update-test repo -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c9 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:40002:moderat |maint:running:40002:moderat |e |e maint:released:11.4:40074 --- Comment #9 from Swamp Workflow Management <swamp@suse.com> 2011-04-18 10:30:52 UTC --- Update released for: SuSEfirewall2 Products: openSUSE 11.4 (i586) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:40002:moderat |maint:released:11.4:40074 |e maint:released:11.4:40074 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c10 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.4:40074 |maint:released:11.4:40074 | |maint:running:40470:low --- Comment #10 from Swamp Workflow Management <swamp@suse.com> 2011-04-27 08:03:18 UTC --- The SWAMPID for this issue is 40470. This issue was rated as low. Please submit fixed packages until 2011-05-25. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/40470 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.4:40074 |maint:released:11.4:40074 |maint:running:40470:low | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c11 --- Comment #11 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-04-28 13:56:02 CEST --- This is an autogenerated message for OBS integration: This bug (679192) was mentioned in https://build.opensuse.org/request/show/66432 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c12 --- Comment #12 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-07 17:00:22 CEST --- This is an autogenerated message for OBS integration: This bug (679192) was mentioned in https://build.opensuse.org/request/show/81346 Factory / SuSEfirewall2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com