ICMP6 Helper Segmentation Fault

[fukawi2]

There is an upstream bug in ip6tables that causes segmentation faults. Refer http://bugzilla.netfilter.org/show_bug.cgi?id=766

There are certain protective rules commented in the helper at the moment.

They need to be uncommented when upstream fixes the issue.

[fukawi2]

The issue appears to be resolved upstream, however there is also a workaround by reordering the modules in each rule (-p icmpv6 before -m hl).

[fukawi2]

This appears to still be broken, but for a different reason. When the comment gets appended to the rule, netfilter barfs with Can't specify HL option twice.

Reversing the order of the hl and comment modules in the command line works though:

fw2 ~ # ip6tables -A INPUT -p icmpv6 --icmpv6-type redirect -m hl ! --hl-eq 255 -j DROP -m comment --comment "husk line 13"
ip6tables v1.4.7: Can't specify HL option twice
Try `ip6tables -h' or 'ip6tables --help' for more information.
fw2 ~ # ip6tables -A INPUT -p icmpv6 --icmpv6-type redirect -m comment --comment "husk line 13" -m hl ! --hl-eq 255 -j DROP
fw2 ~ # 

Possibly fixed upstream here: http://comments.gmane.org/gmane.comp.security.firewalls.netfilter.devel/37138

Still broken on Debian 6 and CentOS 6 presently. Work around by adding no_ipv6_comments = 1 to husk.conf

[fukawi2]

Appears to be resolved upstream according to the original netfilter bug report: http://bugzilla.netfilter.org/show_bug.cgi?id=766

Reported to CentOS for investigation of including upstream fixes: http://bugs.centos.org/view.php?id=6315

[fukawi2]

Reported to RedHat for inclusion in RHEL6, in order for it to flow down to CentOS: https://bugzilla.redhat.com/show_bug.cgi?id=921403

[fukawi2]

RedHat have closed bug report as "Can't Fix" so this will probably remain an issue for RHEL 6 and CentOS 6 users.