ip6table modules are not included in the -virtual kernel packages

Bug #487010 reported by Mark Schouten on 2009-11-23
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Tim Gardner

Bug Description

It is not possible to use ipv6 filtering on machines with a -virtual kernel. The modules needed for ip6tables are not included, thus using ip6tables creates an error message and performs no filtering:

root@kms1:~# ip6tables -L -n -v
FATAL: Module ip6_tables not found.
ip6tables v1.3.8: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

root@kms1:~# modprobe ip6_tables
FATAL: Module ip6_tables not found.

The ipv6 module is included and loaded by default, which works like a charm:
root@kms1:~# ping6 -n -c 2 www.bit.nl
PING www.bit.nl(2001:7b8:3:5::80:3) 56 data bytes
64 bytes from 2001:7b8:3:5::80:3: icmp_seq=1 ttl=62 time=1.13 ms
64 bytes from 2001:7b8:3:5::80:3: icmp_seq=2 ttl=62 time=0.332 ms

--- www.bit.nl ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.332/0.733/1.135/0.402 ms

This is causing possible security issues for people using ipv6 (like me).

Please include the needed modules for ip6tables in the default kernel config.

More info:
root@kms1:~# uname -a
Linux kms1.kerio-vm.dmz.bit.nl 2.6.24-25-virtual #1 SMP Tue Oct 20 08:53:33 UTC 2009 i686 GNU/Linux

root@kms1:~# cat /proc/version_signature
Ubuntu 2.6.24-25.63-virtual

Mark Schouten (mark-prevented) wrote :
Mark Schouten (mark-prevented) wrote :
Mark Schouten (mark-prevented) wrote :

root@kms1:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 8.04.3 LTS
Release: 8.04
Codename: hardy

visibility: private → public
Changed in linux (Ubuntu):
status: New → Confirmed
Andy Whitcroft (apw) on 2009-11-30
tags: added: kernel-series-unknown
Stefan Bader (smb) on 2009-12-09
Changed in linux (Ubuntu):
assignee: nobody → Stefan Bader (stefan-bader-canonical)
status: Confirmed → In Progress
Tim Gardner (timg-tpi) wrote :

Enabled CONFIG_NF_CONNTRACK_IPV6 for the virtual flavour

Changed in linux (Ubuntu Hardy):
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Low
milestone: none → ubuntu-8.04.3
status: New → In Progress
Tim Gardner (timg-tpi) wrote :

SRU Justification:

Impact: The Hardy virtual flavour does not contain the IPV6 conntrack module. therefore, ipv6tables cannot be used.

Patch Description: Enabled CONFIG_NF_CONNTRACK_IPV6 in the virtual flavour config. Since this is now a common option across all i386 flavours, it was pulled into the i386 common config.

Patch - see attached

Stefan Bader (smb) on 2009-12-09
Changed in linux (Ubuntu):
assignee: Stefan Bader (stefan-bader-canonical) → nobody
status: In Progress → Invalid
Stefan Bader (smb) wrote :

Uploaded a preview of a modified patch (which adds more options from the server flavour) to https://launchpad.net/~stefan-bader-canonical/+archive/hardy/+packages. When build, please have a test and report back whether this is sufficient.

Mark Schouten (mark-prevented) wrote :

root@kms1:~# dpkg -l | grep 2.6.24
ii linux-image-2.6.24-26-virtual 2.6.24-26.65~pre1 Linux kernel image for version 2.6.24 on x86
ii linux-image-virtual Description: Linux kernel image geared towar
ii linux-ubuntu-modules-2.6.24-26-virtual 2.6.24-26.44~pre1 Ubuntu supplied Linux modules for version 2.

root@kms1:~# uname -a
Linux kms1.kerio-vm.dmz.bit.nl 2.6.24-26-virtual #1 SMP Thu Dec 10 02:32:33 UTC 2009 i686 GNU/Linux

root@kms1:~# ip6tables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    1 96 ACCEPT all * * fe80::/10 ff02::/16
    0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 1
    0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 2
    0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 135
    0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 136

etc etc etc etc

This fix seems to work, also after a reboot.

Stefan Bader (smb) on 2009-12-10
Changed in linux (Ubuntu Hardy):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.24-27.65

linux (2.6.24-27.65) hardy-security; urgency=low

  [Leann Ogasawara]

  * [Upstream] e1000: enhance frame fragment detection
    - CVE-2009-4536
  * [Upstream] e1000e: enhance frame fragment detection
    - CVE-2009-4538
  * OPENVZ: untangle the do_mremap() mess
    - CVE-2010-0291
  * XEN: untangle the do_mremap() mess
    - CVE-2010-0291

  [Tim Gardner]

  * (config) Enable ipv6 filter modules on virtual flavour
    - LP: #487010

  [Upstream Kernel Changes]

  * hfs: fix a potential buffer overflow
    - CVE-2009-4020
  * fuse: prevent fuse_put_request on invalid pointer
    - CVE-2009-4021
  * KVM: x86 emulator: limit instructions to 15 bytes
    - CVE-2009-4031
  * ext4: Avoid null pointer dereference when decoding EROFS w/o a journal
    - CVE-2009-4308
  * firewire: ohci: handle receive packets with a data length of zero
    - CVE-2009-4138
  * kernel/signal.c: fix kernel information leak with print-fatal-signals=1
    - CVE-2010-0003
  * netfilter: ebtables: enforce CAP_NET_ADMIN
    - CVE-2010-0007
  * untangle the do_mremap() mess
    - CVE-2010-0291
 -- Leann Ogasawara <email address hidden> Wed, 09 Dec 2009 17:16:25 +0000

Changed in linux (Ubuntu Hardy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers