422877 – net-firewall/iptables: ip6tables "state" test fails; will not jump to ACCEPT on ESTABLISHED,RELATED connections

Bug 422877 - net-firewall/iptables: ip6tables "state" test fails; will not jump to ACCEPT on ESTABLISHED,RELATED connections

Summary: net-firewall/iptables: ip6tables "state" test fails; will not jump to ACCEPT ...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-06-21 16:44 UTC by 7v5w7go9ub0o
Modified:	2021-11-06 20:56 UTC (History)
CC List:	2 users (show)

See Also:	http://bugzilla.netfilter.org/show_bug.cgi?id=796
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 7v5w7go9ub0o 2012-06-21 16:44:32 UTC

Below is a little test script. Because the state command fails, I have to include the subsequent accept all statement to get v6 connections to work.


# test script of "state" of ip6tables;
# iptables 1.4.13-r1 compiled with "ipv6"; 
# kernels: linux-3.4.3-gentoo  linux-3.4.3-hardened  each installed/fail
# firewall, conntrack, netfilter options compiled in.
# test is conducted by following two outbound connection attempts:
#
# ping6 2607:f8b0:4002:802::1011  (google v6)

# http://ipv6.whatismyv6.com

# script below:
echo "Stopping; clearing v6 firewall and allowing everyone everywhere..."
ip6tables -F
ip6tables -X
# ip6tables -t nat -F
# ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT

#  now we attempt outbound v6 connections:

ip6tables -A OUTPUT -j ACCEPT

ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # this
#  doesn't work; the test fails; the packet is not accepted; and the
#  following statement is required to accept the incoming

# ip6tables -A INPUT  -j ACCEPT # comment this line on/off to test the preceding  

ip6tables -A INPUT -j DROP


Reproducible: Always

Steps to Reproduce:
1. run the script with the accept all statement included; then with it commented out
2.
3.

Comment 1 SpanKY gentoo-dev

2012-06-24 00:24:59 UTC

have you reported this upstream ?

Comment 2 7v5w7go9ub0o 2012-06-26 14:21:22 UTC

No. 

If you'd prefer, I will. Would appreciate it if you'd run the script and confirm that it fails on your box as well.

Comment 3 7v5w7go9ub0o 2012-06-28 15:44:14 UTC

O.K. I've filed directly with Iptables and will discuss with them.

Please mark this as handed upstream, irrelevent, removed, fixed, dismissed, or anything else standard and remove any record of my having been here.

Comment 4 SpanKY gentoo-dev

2012-12-24 02:44:15 UTC

can you fill in the URL field with the relevant bug report/mailing list ?

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2013-09-17 13:20:30 UTC

This bug was reported to upstream and tracked by upstream as http://bugzilla.netfilter.org/show_bug.cgi?id=796

Maybe someone could set $URL?


Also, as you can see, the reporter says the bug report is invalid, because it was an 6to4 error. So the Gentoo bug report should also be closed according to upstream's bug state.

Comment 6 Jonas Stein gentoo-dev

2021-11-06 17:08:05 UTC

7v5w7go9ub0o closed it upstream