[pkg-netfilter-team] Bug#915627: icmpv6 error in ufw

Patrik alabard at gmail.com
Sun Dec 30 18:40:20 GMT 2018 

You are right. My kernel was not updated. Sorry about that and happy new
year. How can I close this bug?

*Patrik*
WWW <https://patrikx3.com> | GitHub <https://github.com/patrikx3/> | NPM
<https://www.npmjs.com/~patrikx3> | Corifeus <https://corifeus.com> | +36
20 342 8046




On Sun, Dec 30, 2018 at 7:33 PM Jamie Strandboge <jamie at canonical.com>
wrote:

> reassign 915627 iptables
> tags 915627 +confirmed
> thanks
>
> Your kernel is too old. Ie, I cannot reproduce this with the current 4.19
> kernel:
>
> $ lsb_release -a
> No LSB modules are available.
> Distributor ID: Debian
> Description:    Debian GNU/Linux buster/sid
> Release:        unstable
> Codename:       sid
>
> $ cat /proc/version
> Linux version 4.19.0-1-amd64 (debian-kernel at lists.debian.org) (gcc
> version 8.2.0 (Debian 8.2.0-13)) #1 SMP Debian 4.19.12-1 (2018-12-22)
>
> $ sudo iptables --version
> iptables v1.8.2 (nf_tables)
>
> $ sudo apt-get install ufw
> ...
> The following NEW packages will be installed:
>   ufw
> 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
> Need to get 164 kB of archives.
> After this operation, 852 kB of additional disk space will be used.
> Get:1 http://ftp.us.debian.org/debian sid/main amd64 ufw all 0.36-1 [164
> kB]
> ...
>
> $ sudo /usr/share/ufw/check-requirements
> Has python: pass (binary: python2.7, version: 2.7.15+, py2)
> Has iptables: pass
> Has ip6tables: pass
>
> Has /proc/net/dev: pass
> Has /proc/net/if_inet6: pass
>
> This script will now attempt to create various rules using the iptables
> and ip6tables commands. This may result in module autoloading (eg, for
> IPv6).
> Proceed with checks (Y/n)? y
> == IPv4 ==
> ...
> == IPv6 ==
> Creating 'ufw-check-requirements6'... done
> ...
> icmpv6 (destination-unreachable): pass
> icmpv6 (packet-too-big): pass
> icmpv6 (time-exceeded): pass
> icmpv6 (parameter-problem): pass
> icmpv6 (echo-request): pass
> icmpv6 with hl (neighbor-solicitation): pass
> icmpv6 with hl (neighbor-advertisement): pass
> icmpv6 with hl (router-solicitation): pass
> icmpv6 with hl (router-advertisement): pass
> ipv6 rt: pass
>
> All tests passed
>
>
> All ufw is doing in check-requirements is:
> # ip6tables -N ufw-check-requirements6
> # ip6tables -I ufw-check-requirements6 -j RETURN
> # ip6tables -A ufw-check-requirements6 -p icmpv6 --icmpv6-type
> destination-unreachable -j ACCEPT
>
> Which all succeed here. However, your kernel is 4.15.0-2, which
> corresponds to:
>
> http://snapshot.debian.org/package/linux/4.15.11-1/
>
> This kernel is more than 9 months old and I recommend you upgrade it for
> security fixes alone. For testing this bug, I installed it and rebooted:
>
> $ cat /proc/version
> Linux version 4.15.0-2-amd64 (debian-kernel at lists.debian.org) (gcc
> version 7.3.0 (Debian 7.3.0-12)) #1 SMP Debian 4.15.11-1 (2018-03-20)
>
> and indeed, the tests fail like you see. Reduced test case:
>
> $ sudo ip6tables -N ufw-check-requirements6
> $ sudo ip6tables -I ufw-check-requirements6 -j RETURN
> $ sudo ip6tables -A ufw-check-requirements6 -p icmpv6 --icmpv6-type
> destination-unreachable -j ACCEPT
> ip6tables v1.8.2 (nf_tables): unknown option "--icmpv6-type"
> Try `ip6tables -h' or 'ip6tables --help' for more information.
>
> If I use Arturo's test case, ip6tables-nft fails on this kernel as well:
>
> $ sudo ip6tables-nft -A FORWARD -i eth0 -p icmpv6 -m icmpv6 --icmpv6-type
> no-route
> ip6tables v1.8.2 (nf_tables): Couldn't load match `icmp6':No such file or
> directory
>
> Try `ip6tables -h' or 'ip6tables --help' for more information.
> $ sudo ip6tables-legacy -A FORWARD -i eth0 -p icmpv6 -m icmpv6
> --icmpv6-type no-route
> $
>
> This is not a bug in ufw. Please upgrade your kernel and this will start to
> work.
>
> This may be considered a bug in iptables, so reassigning to there for now.
> Seems either iptables 1.8 has kernel version requirements that need to be
> expressed in iptables' Debian packaging or iptables nft needs to be
> updated to
> work with older kernels.
>
> --
> Jamie Strandboge             | http://www.canonical.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20181230/85cc214b/attachment.html>

More information about the pkg-netfilter-team mailing list