Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 422877

Summary: net-firewall/iptables: ip6tables "state" test fails; will not jump to ACCEPT on ESTABLISHED,RELATED connections
Product: Gentoo Linux Reporter: 7v5w7go9ub0o <7v5w7go9ub0o>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED INVALID    
Severity: normal CC: jstein, whissi
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: http://bugzilla.netfilter.org/show_bug.cgi?id=796
Whiteboard:
Package list:
Runtime testing required: ---

Description 7v5w7go9ub0o 2012-06-21 16:44:32 UTC 
Below is a little test script. Because the state command fails, I have to include the subsequent accept all statement to get v6 connections to work.


# test script of "state" of ip6tables;
# iptables 1.4.13-r1 compiled with "ipv6"; 
# kernels: linux-3.4.3-gentoo  linux-3.4.3-hardened  each installed/fail
# firewall, conntrack, netfilter options compiled in.
# test is conducted by following two outbound connection attempts:
#
# ping6 2607:f8b0:4002:802::1011  (google v6)

# http://ipv6.whatismyv6.com

# script below:
echo "Stopping; clearing v6 firewall and allowing everyone everywhere..."
ip6tables -F
ip6tables -X
# ip6tables -t nat -F
# ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT

#  now we attempt outbound v6 connections:

ip6tables -A OUTPUT -j ACCEPT

ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # this
#  doesn't work; the test fails; the packet is not accepted; and the
#  following statement is required to accept the incoming

# ip6tables -A INPUT  -j ACCEPT # comment this line on/off to test the preceding  

ip6tables -A INPUT -j DROP


Reproducible: Always

Steps to Reproduce:
1. run the script with the accept all statement included; then with it commented out
2.
3.
Comment 1 SpanKY gentoo-dev 2012-06-24 00:24:59 UTC 
have you reported this upstream ?
Comment 2 7v5w7go9ub0o 2012-06-26 14:21:22 UTC 
No. 

If you'd prefer, I will. Would appreciate it if you'd run the script and confirm that it fails on your box as well.
Comment 3 7v5w7go9ub0o 2012-06-28 15:44:14 UTC 
O.K. I've filed directly with Iptables and will discuss with them.

Please mark this as handed upstream, irrelevent, removed, fixed, dismissed, or anything else standard and remove any record of my having been here.
Comment 4 SpanKY gentoo-dev 2012-12-24 02:44:15 UTC 
can you fill in the URL field with the relevant bug report/mailing list ?
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2013-09-17 13:20:30 UTC 
This bug was reported to upstream and tracked by upstream as http://bugzilla.netfilter.org/show_bug.cgi?id=796

Maybe someone could set $URL?


Also, as you can see, the reporter says the bug report is invalid, because it was an 6to4 error. So the Gentoo bug report should also be closed according to upstream's bug state.
Comment 6 Jonas Stein gentoo-dev 2021-11-06 17:08:05 UTC 
7v5w7go9ub0o closed it upstream