Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159388 - iptables does not allow packets on loopback with kernel-2.6.11-1.27_FC3
Summary: iptables does not allow packets on loopback with kernel-2.6.11-1.27_FC3
Keywords:
Status: CLOSED DUPLICATE of bug 158710
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 3
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Miller
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-02 11:14 UTC by Adam Deacon
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-04 05:47:47 UTC


Attachments (Terms of Use)
kernel-2.6.11-1.14_FC3 (deleted)
2005-06-02 11:17 UTC, Adam Deacon
no flags Details
failed connection using kernel-2.6.11-1.27_FC3 (deleted)
2005-06-02 11:18 UTC, Adam Deacon
no flags Details

Description Adam Deacon 2005-06-02 11:14:54 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
The following iptables script should allow all packets on the loopback, but drop everything else:

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -i lo  -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -j DROP
iptables -A INPUT  -j DROP

When you run this with kernel-2.6.11-1.14_FC3 everything works as expected, but with kernel-2.6.11-1.27_FC3 all packets are dropped, even those on the loopback. I'm using iptables-1.2.11-3.1.FC3.

Version-Release number of selected component (if applicable):
kernel-2.6.11-1.27_FC3

How reproducible:
Always

Steps to Reproduce:
1. boot 2.6.11-1.27_FC3
2. add rules as above
3. telnet 127.0.0.1 25 (or anything else on the loopback)
4. boot 2.6.11-1.14_FC3
5. add rules, telnet to loopback
6. Connection accepted  

Actual Results:  Packets dropped

Expected Results:  Packet on loopback should be allow (as in 2.6.11-1.14_FC3)

Additional info:

Comment 1 Adam Deacon 2005-06-02 11:17:13 UTC
Created attachment 115080 [details]
kernel-2.6.11-1.14_FC3

sucessful tcpdump using kernel-2.6.11-1.14_FC3

Comment 2 Adam Deacon 2005-06-02 11:18:12 UTC
Created attachment 115081 [details]
failed connection using kernel-2.6.11-1.27_FC3

Failed connction using kernel-2.6.11-1.27_FC3

Comment 3 Dave Jones 2005-06-03 17:43:22 UTC
The only networking changes between .14 and .27 was a rebase from 2.6.11.7 to
2.6.11.10. Nothing obvious jumps out at me looking at the interdiff, but perhaps
davem has clues..

Comment 4 Dave Jones 2005-06-03 17:46:33 UTC
This could be..
https://lists.netfilter.org/pipermail/netfilter-devel/2005-May/019543.html

which would make this bug a dupe of 158710


Comment 5 David Miller 2005-06-03 18:12:03 UTC
Yes, I believe it is the same exact checksumming bug.


Comment 6 Dave Jones 2005-06-04 05:47:47 UTC

*** This bug has been marked as a duplicate of 158710 ***

Comment 7 Haddon 2005-06-04 06:10:29 UTC
Similar problem experienced with APF Firewall (which uses IPtables). Whilst I am
still figuring out the mechanics (new to this), kernel-2.6.11-1.27_FC3 drops any
loopback packets with APF running, no problems when its not running. No such
problem with 2.6.11-1.14_FC3. 

Running on i686.

Comment 8 Dave Jones 2005-06-04 06:15:56 UTC
as mentioned in the bug this is a dupe of, theres a test kernel available on my
people page that should fix this. (link is in the other bug)



Note You need to log in before you can comment on or make changes to this bug.