1099698 – firewalld puts icmp into ip6tables

Bug 1099698 - firewalld puts icmp into ip6tables

Summary: firewalld puts icmp into ip6tables

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Network (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Markos Chandras
QA Contact:	E-mail List

URL:	https://github.com/firewalld/firewall...
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2018-06-29 13:49 UTC by Jiri Slaby
Modified:	2018-10-04 22:54 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jiri Slaby 2018-06-29 13:49:25 UTC

When I enable icmp, I see icmp in both ipv4 and ipv6 iptables:  
    0     0 ACCEPT     icmp     *      *       ::/0                 ::/0                 ctstate NEW

But icmp in ipv6 is called icmpv6. So it all does not work and the traffic is dropped:
> [285010.162912] IN_drop_DROP: IN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=2a01:4240:2e27:ad85:aaaa:0000:0000:070f LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0 


And I see no way how to configure firewalld to add icmpv6 into ip6tables. I have to use a direct rule:
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 -j ACCEPT

I would expect enabling icmp would enable icmpv6 in ip6tables, or at least icmpv6 would be another option of protocol to be added.

Comment 1 Markos Chandras 2018-07-03 05:08:12 UTC

Thank you for the report. Could you tell me how you enabled the 'icmp' rule in your firewall configuration?

Comment 2 Markos Chandras 2018-07-03 07:09:26 UTC

(In reply to Markos Chandras from comment #1)
> Thank you for the report. Could you tell me how you enabled the 'icmp' rule
> in your firewall configuration?

For the record, in the default setup, the icmp rules seem correct in both ipv4 and ipv6

# ip6tables -L|grep icmp|grep ACCEPT|head -n1
ACCEPT     ipv6-icmp    anywhere             anywhere 

# iptables -L|grep icmp|grep ACCEPT|head -n1
ACCEPT     icmp --  anywhere             anywhere

Comment 3 Jiri Slaby 2018-07-03 08:00:01 UTC

(In reply to Markos Chandras from comment #1)
> Thank you for the report. Could you tell me how you enabled the 'icmp' rule
> in your firewall configuration?

Using the UI (yast2 firewall):
protocols -> add -> icmp (there is no option to add icmp).

I am using "drop" as the default zone.

Comment 4 Jiri Slaby 2018-07-03 08:02:09 UTC

(In reply to Jiri Slaby from comment #3)
> Using the UI (yast2 firewall):
> protocols -> add -> icmp (there is no option to add icmp).

...to add icmpv6

Comment 6 Markos Chandras 2018-07-16 10:44:10 UTC

Fixed in 0.6.0 and backport is on its way to Leap 15. Thank you for the report.

Comment 8 Swamp Workflow Management 2018-08-13 20:10:56 UTC

This is an autogenerated message for OBS integration:
This bug (1099698) was mentioned in
https://build.opensuse.org/request/show/629070 Factory / firewalld

Comment 10 Swamp Workflow Management 2018-08-28 11:50:54 UTC

This is an autogenerated message for OBS integration:
This bug (1099698) was mentioned in
https://build.opensuse.org/request/show/631960 Factory / firewalld

Comment 12 Jiri Slaby 2018-08-29 09:56:17 UTC

Now I have:
>    6   624 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ctstate NEW


The problem is that only few icmpv6 traffic is managed by conntrack. Hence, packets with the UNTRACKED state are dropped unless I add a custom rule '-p icmpv6 -j ACCEPT' (with no ctstate checking):
> $ ip6tables -L -vn|grep icmpv6
>    26  1800 LOG        icmpv6    *      *       ::/0                 ::/0                 ctstate UNTRACKED LOG flags 0 level 4 prefix "XXUNTR"
>    0     0 LOG        icmpv6    *      *       ::/0                 ::/0                 ctstate NEW LOG flags 0 level 4 prefix "XXNEW"
>    0     0 LOG        icmpv6    *      *       ::/0                 ::/0                 ctstate RELATED LOG flags 0 level 4 prefix "XXRELA"
>    0     0 LOG        icmpv6    *      *       ::/0                 ::/0                 ctstate ESTABLISHED LOG flags 0 level 4 prefix "XXESTE"
>    0     0 LOG        icmpv6    *      *       ::/0                 ::/0                 ctstate INVALID LOG flags 0 level 4 prefix "XXINVA"
>    6   624 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ctstate NEW
>  195 13736 ACCEPT     icmpv6    *      *       ::/0                 ::/0

Comment 13 Jiri Slaby 2018-08-29 09:57:30 UTC

Example of UNTRACKED traffic logged in the previous:
> [213344.130774] XXUNTRIN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=fe80:0000:0000:0000:4748:4aeb:6d22:254d LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0 
> [213348.357176] XXUNTRIN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=2a01:4240:2e27:ad85:aaaa:0000:0000:070f LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0 
> [213349.137268] XXUNTRIN=eth1 OUT= MAC=d8:9e:f3:f6:6d:0c:00:14:d1:e6:8d:c6:86:dd SRC=fe80:0000:0000:0000:0214:d1ff:fee6:8dc6 DST=fe80:0000:0000:0000:4748:4aeb:6d22:254d LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0

Comment 14 Markos Chandras 2018-08-29 10:11:38 UTC

But this is a different problem now right?

Comment 15 Jiri Slaby 2018-08-29 11:40:46 UTC

(In reply to Markos Chandras from comment #14)
> But this is a different problem now right?

It depends, you can handle it in bug 1105821. Or here and mark the latter as a dup of this. As you want :).

Comment 16 Markos Chandras 2018-08-29 11:48:45 UTC

OK lets close this one because this was about adding icmpv4 to ip6tables and firewalld did not offer anything for icmpv6 at the time.

Comment 17 Swamp Workflow Management 2018-09-10 13:08:36 UTC

SUSE-RU-2018:2675-1: An update that has 5 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1096542,1098986,1099698,1105157,1105170
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    firewalld-0.5.4-4.7.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    firewalld-0.5.4-4.7.1, susefirewall2-to-firewalld-0.0.3-3.3.1

Comment 18 Swamp Workflow Management 2018-09-14 13:09:08 UTC

openSUSE-RU-2018:2711-1: An update that has 5 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1096542,1098986,1099698,1105157,1105170
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    firewalld-0.5.4-lp150.2.6.1, susefirewall2-to-firewalld-0.0.3-lp150.2.3.1