firewalld/0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch

From 0cf02b4c0d4a3b7f55ded6d4d41cf184bc1881e0 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Tue, 3 Jul 2018 09:12:28 -0400
Subject: [PATCH] IPv6 rpfilter: explicitly allow neighbor solicitation

Some kernel versions (4.16-4.17) have a bug which causes the rpfilter
extension to not match neighbor solicitation frames. This causes the
IPv6 rpfilter to mistakenly drop them. Lets work around the buggy kernel
versions by explicitly allowing neighbor solicitation.

Fixes: rhbz 1575431
(cherry picked from commit 3d6a5063566319b5df58c6f738f203e88724961e)
---
 src/firewall/core/ipXtables.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 437808027155..c2aac90d838c 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -474,16 +474,21 @@ class ip6tables(ip4tables):
 
     def apply_rpfilter_rules(self, transaction, log_denied=False):
             transaction.add_rule(self.ipv,
-                                 [ "-I", "PREROUTING", "1", "-t", "raw",
+                          [ "-I", "PREROUTING", "1", "-t", "raw",
+                            "-p", "ipv6-icmp",
+                            "--icmpv6-type=neighbour-solicitation",
+                            "-j", "ACCEPT" ]) # RHBZ#1575431, kernel bug in 4.16-4.17
+            transaction.add_rule(self.ipv,
+                                 [ "-I", "PREROUTING", "2", "-t", "raw",
                                    "-p", "ipv6-icmp",
                                    "--icmpv6-type=router-advertisement",
                                    "-j", "ACCEPT" ]) # RHBZ#1058505
             transaction.add_rule(self.ipv,
-                                 [ "-I", "PREROUTING", "2", "-t", "raw",
+                                 [ "-I", "PREROUTING", "3", "-t", "raw",
                                    "-m", "rpfilter", "--invert", "-j", "DROP" ])
             if log_denied != "off":
                 transaction.add_rule(self.ipv,
-                                     [ "-I", "PREROUTING", "2", "-t", "raw",
+                                     [ "-I", "PREROUTING", "3", "-t", "raw",
                                        "-m", "rpfilter", "--invert",
                                        "-j", "LOG",
                                        "--log-prefix", "rpfilter_DROP: " ])
-- 
2.16.3
backport fix for rhbz 1575431 Fixes: rhbz 1575431 2018-07-03 20:01:07 +00:00			`From 0cf02b4c0d4a3b7f55ded6d4d41cf184bc1881e0 Mon Sep 17 00:00:00 2001`
			`From: Eric Garver <e@erig.me>`
			`Date: Tue, 3 Jul 2018 09:12:28 -0400`
			`Subject: [PATCH] IPv6 rpfilter: explicitly allow neighbor solicitation`

			`Some kernel versions (4.16-4.17) have a bug which causes the rpfilter`
			`extension to not match neighbor solicitation frames. This causes the`
			`IPv6 rpfilter to mistakenly drop them. Lets work around the buggy kernel`
			`versions by explicitly allowing neighbor solicitation.`

			`Fixes: rhbz 1575431`
			`(cherry picked from commit 3d6a5063566319b5df58c6f738f203e88724961e)`
			`---`
			`src/firewall/core/ipXtables.py \| 11 ++++++++---`
			`1 file changed, 8 insertions(+), 3 deletions(-)`

			`diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py`
			`index 437808027155..c2aac90d838c 100644`
			`--- a/src/firewall/core/ipXtables.py`
			`+++ b/src/firewall/core/ipXtables.py`
			`@@ -474,16 +474,21 @@ class ip6tables(ip4tables):`

			`def apply_rpfilter_rules(self, transaction, log_denied=False):`
			`transaction.add_rule(self.ipv,`
			`- [ "-I", "PREROUTING", "1", "-t", "raw",`
			`+ [ "-I", "PREROUTING", "1", "-t", "raw",`
			`+ "-p", "ipv6-icmp",`
			`+ "--icmpv6-type=neighbour-solicitation",`
			`+ "-j", "ACCEPT" ]) # RHBZ#1575431, kernel bug in 4.16-4.17`
			`+ transaction.add_rule(self.ipv,`
			`+ [ "-I", "PREROUTING", "2", "-t", "raw",`
			`"-p", "ipv6-icmp",`
			`"--icmpv6-type=router-advertisement",`
			`"-j", "ACCEPT" ]) # RHBZ#1058505`
			`transaction.add_rule(self.ipv,`
			`- [ "-I", "PREROUTING", "2", "-t", "raw",`
			`+ [ "-I", "PREROUTING", "3", "-t", "raw",`
			`"-m", "rpfilter", "--invert", "-j", "DROP" ])`
			`if log_denied != "off":`
			`transaction.add_rule(self.ipv,`
			`- [ "-I", "PREROUTING", "2", "-t", "raw",`
			`+ [ "-I", "PREROUTING", "3", "-t", "raw",`
			`"-m", "rpfilter", "--invert",`
			`"-j", "LOG",`
			`"--log-prefix", "rpfilter_DROP: " ])`
			`--`
			`2.16.3`