netfilter does not handle IPv6 fragments correctly
Issue
- Even with
nf_defrag_ipv6
loaded, ip6tables matches always see only the fragments, but never the entire payload. This leads to packet leaks when using TPROXY (-m socket) or fragments not being allowed in, for example.
Environment
- Red Hat Enterprise Linux (RHEL) 6.5 and earlier
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.