Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 422877 - net-firewall/iptables: ip6tables "state" test fails; will not jump to ACCEPT on ESTABLISHED,RELATED connections
Summary: net-firewall/iptables: ip6tables "state" test fails; will not jump to ACCEPT ...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-21 16:44 UTC by 7v5w7go9ub0o
Modified: 2015-08-08 13:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description 7v5w7go9ub0o 2012-06-21 16:44:32 UTC
Below is a little test script. Because the state command fails, I have to include the subsequent accept all statement to get v6 connections to work.


# test script of "state" of ip6tables;
# iptables 1.4.13-r1 compiled with "ipv6"; 
# kernels: linux-3.4.3-gentoo  linux-3.4.3-hardened  each installed/fail
# firewall, conntrack, netfilter options compiled in.
# test is conducted by following two outbound connection attempts:
#
# ping6 2607:f8b0:4002:802::1011  (google v6)

# http://ipv6.whatismyv6.com

# script below:
echo "Stopping; clearing v6 firewall and allowing everyone everywhere..."
ip6tables -F
ip6tables -X
# ip6tables -t nat -F
# ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT

#  now we attempt outbound v6 connections:

ip6tables -A OUTPUT -j ACCEPT

ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # this
#  doesn't work; the test fails; the packet is not accepted; and the
#  following statement is required to accept the incoming

# ip6tables -A INPUT  -j ACCEPT # comment this line on/off to test the preceding  

ip6tables -A INPUT -j DROP


Reproducible: Always

Steps to Reproduce:
1. run the script with the accept all statement included; then with it commented out
2.
3.
Comment 1 SpanKY gentoo-dev 2012-06-24 00:24:59 UTC
have you reported this upstream ?
Comment 2 7v5w7go9ub0o 2012-06-26 14:21:22 UTC
No. 

If you'd prefer, I will. Would appreciate it if you'd run the script and confirm that it fails on your box as well.
Comment 3 7v5w7go9ub0o 2012-06-28 15:44:14 UTC
O.K. I've filed directly with Iptables and will discuss with them.

Please mark this as handed upstream, irrelevent, removed, fixed, dismissed, or anything else standard and remove any record of my having been here.
Comment 4 SpanKY gentoo-dev 2012-12-24 02:44:15 UTC
can you fill in the URL field with the relevant bug report/mailing list ?
Comment 5 Thomas Deutschmann gentoo-dev Security 2013-09-17 13:20:30 UTC
This bug was reported to upstream and tracked by upstream as http://bugzilla.netfilter.org/show_bug.cgi?id=796

Maybe someone could set $URL?


Also, as you can see, the reporter says the bug report is invalid, because it was an 6to4 error. So the Gentoo bug report should also be closed according to upstream's bug state.