Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 422877

Summary: net-firewall/iptables: ip6tables "state" test fails; will not jump to ACCEPT on ESTABLISHED,RELATED connections
Product: Gentoo Linux Reporter: 7v5w7go9ub0o <7v5w7go9ub0o>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Severity: normal CC: jstein, whissi
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Package list:
Runtime testing required: ---

Description 7v5w7go9ub0o 2012-06-21 16:44:32 UTC
Below is a little test script. Because the state command fails, I have to include the subsequent accept all statement to get v6 connections to work.

# test script of "state" of ip6tables;
# iptables 1.4.13-r1 compiled with "ipv6"; 
# kernels: linux-3.4.3-gentoo  linux-3.4.3-hardened  each installed/fail
# firewall, conntrack, netfilter options compiled in.
# test is conducted by following two outbound connection attempts:
# ping6 2607:f8b0:4002:802::1011  (google v6)


# script below:
echo "Stopping; clearing v6 firewall and allowing everyone everywhere..."
ip6tables -F
ip6tables -X
# ip6tables -t nat -F
# ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT

#  now we attempt outbound v6 connections:

ip6tables -A OUTPUT -j ACCEPT

ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # this
#  doesn't work; the test fails; the packet is not accepted; and the
#  following statement is required to accept the incoming

# ip6tables -A INPUT  -j ACCEPT # comment this line on/off to test the preceding  

ip6tables -A INPUT -j DROP

Reproducible: Always

Steps to Reproduce:
1. run the script with the accept all statement included; then with it commented out
Comment 1 SpanKY gentoo-dev 2012-06-24 00:24:59 UTC
have you reported this upstream ?
Comment 2 7v5w7go9ub0o 2012-06-26 14:21:22 UTC

If you'd prefer, I will. Would appreciate it if you'd run the script and confirm that it fails on your box as well.
Comment 3 7v5w7go9ub0o 2012-06-28 15:44:14 UTC
O.K. I've filed directly with Iptables and will discuss with them.

Please mark this as handed upstream, irrelevent, removed, fixed, dismissed, or anything else standard and remove any record of my having been here.
Comment 4 SpanKY gentoo-dev 2012-12-24 02:44:15 UTC
can you fill in the URL field with the relevant bug report/mailing list ?
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2013-09-17 13:20:30 UTC
This bug was reported to upstream and tracked by upstream as

Maybe someone could set $URL?

Also, as you can see, the reporter says the bug report is invalid, because it was an 6to4 error. So the Gentoo bug report should also be closed according to upstream's bug state.
Comment 6 Jonas Stein gentoo-dev 2021-11-06 17:08:05 UTC
7v5w7go9ub0o closed it upstream