[Bug 796] New: ip6tables (iptables) "state" test fails to correctly determine the state of packet streams; will not jump to ACCEPT on ESTABLISHED,RELATED connections

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Thu Jun 28 17:35:20 CEST 2012 

http://bugzilla.netfilter.org/show_bug.cgi?id=796

           Summary: ip6tables (iptables) "state" test fails to  correctly
                    determine the state of packet streams; will not jump
                    to ACCEPT on  ESTABLISHED,RELATED connections
           Product: iptables
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ip6tables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: 7v5w7go9ub0o at gmail.com
   Estimated Hours: 0.0


Below is a little test script. 
Because the state command fails, I have to include the subsequent ACCEPT all
statement to get v6 connections to work.


# test script of "state" of ip6tables;
# iptables Gentoo 1.4.13-r1 compiled with "ipv6"; 
# kernels: linux-3.4.3-gentoo  linux-3.4.3-hardened  each installed/fail
# firewall, conntrack, netfilter, etc. options compiled in.
# test is conducted by each of the following outbound connection attempts:
# tests:
#        ping6 2607:f8b0:4002:802::1011  (google v6)

#        http://ipv6.whatismyv6.com

# script below:
echo "Stopping; clearing v6 firewall and allowing everyone everywhere..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT

#  now we attempt outbound v6 connections:

ip6tables -A OUTPUT -j ACCEPT

ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # this
#  doesn't work; the test fails; the packet is not accepted. The
#  following statement is required to accept the incoming

ip6tables -A INPUT  -j ACCEPT # comment this line on/off to test the preceding  

ip6tables -A INPUT -j DROP

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

More information about the netfilter-buglog mailing list