Mailinglist Archive: opensuse-bugs (4068 mails)

< Previous Next >
[Bug 715169] New: redundant ipv6-related iptables rules generated by SuSEfirewall2 in debug mode
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Wed, 31 Aug 2011 07:53:53 +0000
  • Message-id: <bug-715169-21960@http.bugzilla.novell.com/>

https://bugzilla.novell.com/show_bug.cgi?id=715169

https://bugzilla.novell.com/show_bug.cgi?id=715169#c0


Summary: redundant ipv6-related iptables rules generated by
SuSEfirewall2 in debug mode
Classification: openSUSE
Product: openSUSE 11.4
Version: Final
Platform: All
OS/Version: openSUSE 11.4
Status: NEW
Severity: Minor
Priority: P5 - None
Component: Network
AssignedTo: bnc-team-screening@xxxxxxxxxxxxxxxxxxxxxx
ReportedBy: avn@xxxxxxxxxxx
QAContact: qa@xxxxxxx
Found By: ---
Blocker: ---


User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.20)
Gecko/20110803 Firefox/3.6.20 ( .NET CLR 3.5.30729; .NET4.0E)

Possible workaround:

--- SuSEfirewall2 2011-08-31 11:06:20.420001302 +0400
+++ SuSEfirewall2 2011-08-31 11:12:44.604001319 +0400
@@ -310,7 +310,7 @@
IP6TABLES="ip6tables"
ip6tables()
{
- echo ip6tables "$@"
+ [ "$IP6TABLES" != ":" ] && echo ip6tables "$@"
}
TC="tc"
tc()
@@ -321,6 +321,12 @@
{
echo modprobe "$@"
}
+ ### ipv6 checks
+ case "$FW_IPv6" in
+ drop|reject) IP6TABLES_HAVE_STATE=0 ;;
+ no) IP6TABLES=":" ;;
+ *) FW_IPv6="" ;;
+ esac
else
IPTABLES="$IPTABLES_BIN"
IP6TABLES="$IP6TABLES_BIN"


Reproducible: Always

Steps to Reproduce:
1. Set FW_IPv6="no" in /etc/sysconfig/SuSEfirewall2
2. Run /sbin/SuSEfirewall2 debug
Actual Results:
# ./SuSEfirewall2 debug | grep v6
SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
SuSEfirewall2: Firewall customary rules loaded from
/etc/sysconfig/scripts/SuSEfirewall2-custom
ip6tables -A INPUT -j ACCEPT -p icmpv6 -m conntrack --ctstate RELATED
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type echo-request
ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type echo-request
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-solicitation
ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type router-solicitation
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-advertisement
ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type
router-advertisement
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type neighbour-solicitation
ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type
neighbour-solicitation
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type
neighbour-advertisement
ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type
neighbour-advertisement
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type redirect
ip6tables -A input_bridge -j ACCEPT -p icmpv6 --icmpv6-type redirect
ip6tables -A OUTPUT -j ACCEPT -p icmpv6
ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate NEW -p icmpv6
--icmpv6-type echo-request -o eth1
ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED -p icmpv6
--icmpv6-type echo-reply
ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-p icmpv6 --icmpv6-type echo-reply
ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-p icmpv6 --icmpv6-type destination-unreachable
ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-p icmpv6 --icmpv6-type packet-too-big
ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-p icmpv6 --icmpv6-type time-exceeded
ip6tables -A forward_int -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-p icmpv6 --icmpv6-type parameter-problem
ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-p icmpv6 --icmpv6-type echo-reply
ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-p icmpv6 --icmpv6-type destination-unreachable
ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-p icmpv6 --icmpv6-type packet-too-big
ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-p icmpv6 --icmpv6-type time-exceeded
ip6tables -A forward_ext -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-p icmpv6 --icmpv6-type parameter-problem
ip6tables -A input_ext -m limit --limit 3/minute -j LOG --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p
icmpv6
ip6tables -A input_bridge -m limit --limit 3/minute -j LOG --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INbridge-DROP-DEFLT -p
icmpv6
ip6tables -A forward_int -m limit --limit 3/minute -j LOG --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
icmpv6
ip6tables -A forward_ext -m limit --limit 3/minute -j LOG --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
icmpv6
SuSEfirewall2: Firewall rules successfully set


Expected Results:
no ipv6-related rules

/sbin/SuSEfirewall2 also generates redundant rules for many cases.
Probably we need to introduce at least two new parameters in
/etc/sysconfig/SuSEfirewall2.

For example:

FW_TRUSTED_ZONES="int" # default value
FW_MASQ_ZONES="int ext" # default value

Purpose is obvious.
This is important for Snort-related installations especially.
The second one has a simple workaround using
/etc/sysconfig/scripts/SuSEfirewall2-custom :

fw_custom_after_chain_creation() {
forward_zones="int ext"
}

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >
Follow Ups