49 lines
2.4 KiB
Diff
49 lines
2.4 KiB
Diff
From 0cf02b4c0d4a3b7f55ded6d4d41cf184bc1881e0 Mon Sep 17 00:00:00 2001
|
|
From: Eric Garver <e@erig.me>
|
|
Date: Tue, 3 Jul 2018 09:12:28 -0400
|
|
Subject: [PATCH] IPv6 rpfilter: explicitly allow neighbor solicitation
|
|
|
|
Some kernel versions (4.16-4.17) have a bug which causes the rpfilter
|
|
extension to not match neighbor solicitation frames. This causes the
|
|
IPv6 rpfilter to mistakenly drop them. Lets work around the buggy kernel
|
|
versions by explicitly allowing neighbor solicitation.
|
|
|
|
Fixes: rhbz 1575431
|
|
(cherry picked from commit 3d6a5063566319b5df58c6f738f203e88724961e)
|
|
---
|
|
src/firewall/core/ipXtables.py | 11 ++++++++---
|
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
|
index 437808027155..c2aac90d838c 100644
|
|
--- a/src/firewall/core/ipXtables.py
|
|
+++ b/src/firewall/core/ipXtables.py
|
|
@@ -474,16 +474,21 @@ class ip6tables(ip4tables):
|
|
|
|
def apply_rpfilter_rules(self, transaction, log_denied=False):
|
|
transaction.add_rule(self.ipv,
|
|
- [ "-I", "PREROUTING", "1", "-t", "raw",
|
|
+ [ "-I", "PREROUTING", "1", "-t", "raw",
|
|
+ "-p", "ipv6-icmp",
|
|
+ "--icmpv6-type=neighbour-solicitation",
|
|
+ "-j", "ACCEPT" ]) # RHBZ#1575431, kernel bug in 4.16-4.17
|
|
+ transaction.add_rule(self.ipv,
|
|
+ [ "-I", "PREROUTING", "2", "-t", "raw",
|
|
"-p", "ipv6-icmp",
|
|
"--icmpv6-type=router-advertisement",
|
|
"-j", "ACCEPT" ]) # RHBZ#1058505
|
|
transaction.add_rule(self.ipv,
|
|
- [ "-I", "PREROUTING", "2", "-t", "raw",
|
|
+ [ "-I", "PREROUTING", "3", "-t", "raw",
|
|
"-m", "rpfilter", "--invert", "-j", "DROP" ])
|
|
if log_denied != "off":
|
|
transaction.add_rule(self.ipv,
|
|
- [ "-I", "PREROUTING", "2", "-t", "raw",
|
|
+ [ "-I", "PREROUTING", "3", "-t", "raw",
|
|
"-m", "rpfilter", "--invert",
|
|
"-j", "LOG",
|
|
"--log-prefix", "rpfilter_DROP: " ])
|
|
--
|
|
2.16.3
|
|
|