netfilter does not handle IPv6 fragments correctly

Solution Verified - Updated -

Issue

  • Even with nf_defrag_ipv6 loaded, ip6tables matches always see only the fragments, but never the entire payload. This leads to packet leaks when using TPROXY (-m socket) or fragments not being allowed in, for example.

Environment

  • Red Hat Enterprise Linux (RHEL) 6.5 and earlier

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content