bugzilla-daemon at bugzilla.netfilter.org
2012-Jun-28 15:35 UTC
[Bug 796] New: ip6tables (iptables) "state" test fails to correctly determine the state of packet streams; will not jump to ACCEPT on ESTABLISHED,RELATED connections
http://bugzilla.netfilter.org/show_bug.cgi?id=796 Summary: ip6tables (iptables) "state" test fails to correctly determine the state of packet streams; will not jump to ACCEPT on ESTABLISHED,RELATED connections Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: ip6tables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: 7v5w7go9ub0o at gmail.com Estimated Hours: 0.0 Below is a little test script. Because the state command fails, I have to include the subsequent ACCEPT all statement to get v6 connections to work. # test script of "state" of ip6tables; # iptables Gentoo 1.4.13-r1 compiled with "ipv6"; # kernels: linux-3.4.3-gentoo linux-3.4.3-hardened each installed/fail # firewall, conntrack, netfilter, etc. options compiled in. # test is conducted by each of the following outbound connection attempts: # tests: # ping6 2607:f8b0:4002:802::1011 (google v6) # http://ipv6.whatismyv6.com # script below: echo "Stopping; clearing v6 firewall and allowing everyone everywhere..." ip6tables -F ip6tables -X ip6tables -t mangle -F ip6tables -t mangle -X ip6tables -P INPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT # now we attempt outbound v6 connections: ip6tables -A OUTPUT -j ACCEPT ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # this # doesn't work; the test fails; the packet is not accepted. The # following statement is required to accept the incoming ip6tables -A INPUT -j ACCEPT # comment this line on/off to test the preceding ip6tables -A INPUT -j DROP -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2012-Jul-21 16:05 UTC
[Bug 796] ip6tables (iptables) "state" test fails to correctly determine the state of packet streams; will not jump to ACCEPT on ESTABLISHED,RELATED connections
http://bugzilla.netfilter.org/show_bug.cgi?id=796 --- Comment #1 from 7v5w7go9ub0o at gmail.com 2012-07-21 18:05:12 CEST --- It turns out that this is likely a 6to4 issue, rather than an iptables issue; this article from ripe seems to describe my situation quite well: <https://labs.ripe.net/Members/emileaben/6to4-why-is-it-so-bad> please mark this bug resolved. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2012-Dec-06 18:10 UTC
[Bug 796] ip6tables (iptables) "state" test fails to correctly determine the state of packet streams; will not jump to ACCEPT on ESTABLISHED,RELATED connections
http://bugzilla.netfilter.org/show_bug.cgi?id=796 Jozsef Kadlecsik <kadlec at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |kadlec at netfilter.org Resolution| |INVALID --- Comment #2 from Jozsef Kadlecsik <kadlec at netfilter.org> 2012-12-06 19:10:44 CET --- Thanks for reporting it's a 6to4 issue. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Reasonably Related Threads
- [Bug 842] New: Addition of iptables rule referencing an ipset of the wrong address family does not fail
- [Bug 761] New: Bug in ICMPv6 type and code fields processing
- [Bug 843] New: ipset swap doesn't behave as expected
- [Bug 1101] New: SET target unreliable in iptables - add does not work as expected
- [Bug 1212] New: excessive memory usage with kernel 4.14