Before I go much further in investigating this, I'd like to ask if anyone has successfully used IPv6 under rawhide?
I can ssh over IPv6 between FC5 and Centos 4.3 boxes, but any attempt to ssh using v6 to or from a rawhide machine doesn't work. I haven't gotten any details yet, other than an odd packet in an ethereal capture that I executed on an FC4 machine while trying to connect IPv6 from a rawhide machine to the FC4 machine. The frames shown below represent the TCP 3-way handshake for the session, but the last frame seems to indicate that the ssh client is ACKing a frame it hasn't yet seen. wtf?
No. Time Source Destination Protocol Info 4 6.335103 fec0::250:8dff:feef:9069 fec0::250:8dff:fed3:7b0d TCP 4 5702 > ssh [SYN] Seq=0 Len=0 MSS=1440 TSV=770378 TSER=0 WS=7
Frame 4 (94 bytes on wire, 94 bytes captured) Ethernet II, Src: AbitComp_ef:90:69 (00:50:8d:ef:90:69), Dst: AbitComp_d3:7b:0d (00:50:8d:d3:7b:0d) Internet Protocol Version 6 Transmission Control Protocol, Src Port: 45702 (45702), Dst Port: ssh (22), Seq: 0, Len: 0 Source port: 45702 (45702) Destination port: ssh (22) Sequence number: 0 (relative sequence number) Header length: 40 bytes Flags: 0x0002 (SYN) Window size: 737280 (scaled) Checksum: 0x3ece [correct] Options: (20 bytes) ======================================================================== ======================================================================== No. Time Source Destination Protocol Info 5 6.335131 fec0::250:8dff:fed3:7b0d fec0::250:8dff:feef:9069 TCP s sh > 45702 [SYN, ACK] Seq=0 Ack=1 Win=22848 Len=0 MSS=1440 TSV=136555 TSER=77037 8 WS=2
Frame 5 (94 bytes on wire, 94 bytes captured) Ethernet II, Src: AbitComp_d3:7b:0d (00:50:8d:d3:7b:0d), Dst: AbitComp_ef:90:69 (00:50:8d:ef:90:69) Internet Protocol Version 6 Transmission Control Protocol, Src Port: ssh (22), Dst Port: 45702 (45702), Seq: 0, Ack: 1, Len: 0 Source port: ssh (22) Destination port: 45702 (45702) Sequence number: 0 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 40 bytes Flags: 0x0012 (SYN, ACK) Window size: 22848 (scaled) Checksum: 0x3517 [correct] Options: (20 bytes) ======================================================================== ======================================================================== No. Time Source Destination Protocol Info 6 9.330977 fec0::250:8dff:feef:9069 fec0::250:8dff:fed3:7b0d TCP [ TCP ACKed lost segment] 45702 > ssh [SYN] Seq=0 Len=0 MSS=1440 TSV=771128 TSER=0 WS=7
Frame 6 (94 bytes on wire, 94 bytes captured) Ethernet II, Src: AbitComp_ef:90:69 (00:50:8d:ef:90:69), Dst: AbitComp_d3:7b:0d (00:50:8d:d3:7b:0d) Internet Protocol Version 6 Transmission Control Protocol, Src Port: 45702 (45702), Dst Port: ssh (22), Seq: 0, Len: 0 Source port: 45702 (45702) Destination port: ssh (22) Sequence number: 0 (relative sequence number) Header length: 40 bytes Flags: 0x0002 (SYN) Window size: 737280 (scaled) Checksum: 0x3be0 [correct] Options: (20 bytes) SEQ/ACK analysis TCP Analysis Flags This frame ACKs a segment we have not seen (lost?)
Jay Cliburn wrote:
Before I go much further in investigating this, I'd like to ask if anyone has successfully used IPv6 under rawhide?
I can ssh over IPv6 between FC5 and Centos 4.3 boxes, but any attempt to ssh using v6 to or from a rawhide machine doesn't work.
Jay Cliburn wrote:
Before I go much further in investigating this, I'd like to ask if anyone has successfully used IPv6 under rawhide?
I can ssh over IPv6 between FC5 and Centos 4.3 boxes, but any attempt to ssh using v6 to or from a rawhide machine doesn't work. I haven't gotten any details yet, other than an odd packet in an ethereal capture that I executed on an FC4 machine while trying to connect IPv6 from a rawhide machine to the FC4 machine. The frames shown below represent the TCP 3-way handshake for the session, but the last frame seems to indicate that the ssh client is ACKing a frame it hasn't yet seen.
After a week of tracing IPv6 packets through the kernel, this problem turned out to be caused by ip6tables blocking inbound IPv6 packets, despite rules to allow such traffic. (I wasn't even aware ip6tables was running, but I can't say for sure I didn't enable it when I installed FC6.) Here's the default rawhide ip6tables file, with a rule I added to log dropped packets.
[root@osprey ~]# cat /etc/sysconfig/ip6tables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j LOG -A RH-Firewall-1-INPUT -j DROP COMMIT
And here's what's logged when a remote host tries to initiate an ssh session to this host over ipv6. The SYN packet is dropped.
Jul 30 13:15:31 osprey kernel: IN=eth0 OUT= MAC=00:50:8d:ef:90:69:00:b0:d0:82:6d:db:86:dd SRC=2001:05c0:8c82:0000:02b0:d0ff:fe82:6ddb DST=2001:05c0:8c82:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=39300 DPT=22 WINDOW=5760 RES=0x00 SYN URGP=0
A similar thing happens when an outbound ssh session is attempted from this host. The SYN-ACK packet from the remote host is dropped.
Jul 30 13:27:10 osprey kernel: IN=eth0 OUT= MAC=00:50:8d:ef:90:69:00:b0:d0:82:6d:db:86:dd SRC=2001:05c0:8c82:0000:02b0:d0ff:fe82:6ddb DST=2001:05c0:8c82:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=22 DPT=49029 WINDOW=5712 RES=0x00 ACK SYN URGP=0
According to netfilter.org [1], ip6tables can't do stateful packet filtering, so the default rules supplied for FC6 are not correct. I'd BZ this, but there's no ip6tables category in Redhat's bugzilla.
[1] http://www.netfilter.org/ Main Features * stateless packet filtering (IPv4 and IPv6) * stateful packet filtering (IPv4)
-
Jay Cliburn