Ubuntu
linux package

ip6table modules are not included in the -virtual kernel packages

  1. Hardy (8.04)
  2. Bug #487010
Bug #487010 reported by Mark Schouten
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Fix Released
Low
Tim Gardner
Ubuntu ubuntu-8.04.3

Bug Description

It is not possible to use ipv6 filtering on machines with a -virtual kernel. The modules needed for ip6tables are not included, thus using ip6tables creates an error message and performs no filtering:

root@kms1:~# ip6tables -L -n -v
FATAL: Module ip6_tables not found.
ip6tables v1.3.8: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

root@kms1:~# modprobe ip6_tables
FATAL: Module ip6_tables not found.

The ipv6 module is included and loaded by default, which works like a charm:
root@kms1:~# ping6 -n -c 2 www.bit.nl
PING www.bit.nl(2001:7b8:3:5::80:3) 56 data bytes
64 bytes from 2001:7b8:3:5::80:3: icmp_seq=1 ttl=62 time=1.13 ms
64 bytes from 2001:7b8:3:5::80:3: icmp_seq=2 ttl=62 time=0.332 ms

--- www.bit.nl ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.332/0.733/1.135/0.402 ms

This is causing possible security issues for people using ipv6 (like me).

Please include the needed modules for ip6tables in the default kernel config.

More info:
root@kms1:~# uname -a
Linux kms1.kerio-vm.dmz.bit.nl 2.6.24-25-virtual #1 SMP Tue Oct 20 08:53:33 UTC 2009 i686 GNU/Linux

root@kms1:~# cat /proc/version_signature
Ubuntu 2.6.24-25.63-virtual

Revision history for this message
Mark Schouten (mark-prevented) wrote :
Revision history for this message
Mark Schouten (mark-prevented) wrote :
Revision history for this message
Mark Schouten (mark-prevented) wrote :

root@kms1:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 8.04.3 LTS
Release: 8.04
Codename: hardy

visibility: private → public
Marc Deslauriers (mdeslaur)
Changed in linux (Ubuntu):
status: New → Confirmed
Andy Whitcroft (apw)
tags: added: kernel-series-unknown
Stefan Bader (smb)
Changed in linux (Ubuntu):
assignee: nobody → Stefan Bader (stefan-bader-canonical)
status: Confirmed → In Progress
Revision history for this message
Tim Gardner (timg-tpi) wrote :

Enabled CONFIG_NF_CONNTRACK_IPV6 for the virtual flavour

Changed in linux (Ubuntu Hardy):
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Low
milestone: none → ubuntu-8.04.3
status: New → In Progress
Revision history for this message
Tim Gardner (timg-tpi) wrote :

SRU Justification:

Impact: The Hardy virtual flavour does not contain the IPV6 conntrack module. therefore, ipv6tables cannot be used.

Patch Description: Enabled CONFIG_NF_CONNTRACK_IPV6 in the virtual flavour config. Since this is now a common option across all i386 flavours, it was pulled into the i386 common config.

Patch - see attached

Stefan Bader (smb)
Changed in linux (Ubuntu):
assignee: Stefan Bader (stefan-bader-canonical) → nobody
status: In Progress → Invalid
Revision history for this message
Stefan Bader (smb) wrote :

Uploaded a preview of a modified patch (which adds more options from the server flavour) to https://launchpad.net/~stefan-bader-canonical/+archive/hardy/+packages. When build, please have a test and report back whether this is sufficient.

Revision history for this message
Mark Schouten (mark-prevented) wrote :

root@kms1:~# dpkg -l | grep 2.6.24
ii linux-image-2.6.24-26-virtual 2.6.24-26.65~pre1 Linux kernel image for version 2.6.24 on x86
ii linux-image-virtual 2.6.24.26.28 Description: Linux kernel image geared towar
ii linux-ubuntu-modules-2.6.24-26-virtual 2.6.24-26.44~pre1 Ubuntu supplied Linux modules for version 2.

root@kms1:~# uname -a
Linux kms1.kerio-vm.dmz.bit.nl 2.6.24-26-virtual #1 SMP Thu Dec 10 02:32:33 UTC 2009 i686 GNU/Linux

root@kms1:~# ip6tables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    1 96 ACCEPT all * * fe80::/10 ff02::/16
    0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 1
    0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 2
    0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 135
    0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 136

etc etc etc etc

This fix seems to work, also after a reboot.

Stefan Bader (smb)
Changed in linux (Ubuntu Hardy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.24-27.65

---------------
linux (2.6.24-27.65) hardy-security; urgency=low

  [Leann Ogasawara]

  * [Upstream] e1000: enhance frame fragment detection
    - CVE-2009-4536
  * [Upstream] e1000e: enhance frame fragment detection
    - CVE-2009-4538
  * OPENVZ: untangle the do_mremap() mess
    - CVE-2010-0291
  * XEN: untangle the do_mremap() mess
    - CVE-2010-0291

  [Tim Gardner]

  * (config) Enable ipv6 filter modules on virtual flavour
    - LP: #487010

  [Upstream Kernel Changes]

  * hfs: fix a potential buffer overflow
    - CVE-2009-4020
  * fuse: prevent fuse_put_request on invalid pointer
    - CVE-2009-4021
  * KVM: x86 emulator: limit instructions to 15 bytes
    - CVE-2009-4031
  * ext4: Avoid null pointer dereference when decoding EROFS w/o a journal
    - CVE-2009-4308
  * firewire: ohci: handle receive packets with a data length of zero
    - CVE-2009-4138
  * kernel/signal.c: fix kernel information leak with print-fatal-signals=1
    - CVE-2010-0003
  * netfilter: ebtables: enforce CAP_NET_ADMIN
    - CVE-2010-0007
  * untangle the do_mremap() mess
    - CVE-2010-0291
 -- Leann Ogasawara <email address hidden> Wed, 09 Dec 2009 17:16:25 +0000

Changed in linux (Ubuntu Hardy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.