ip6tables is missing libip6t_rt.so to filter the IPv6 RH0 exploit

I forgot to add the [1] reference: http://www.ipv4.sixxs.net/faq/connectivity/?faq=filters

Regarding libip6t_rt.so being missing from Ubuntu Feisty...

1. Based on a quick Google search, the extension in question has existed since the 1.2 series of ip6tables, if not earlier.
2. The extension in question is documented at http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-6.html
3. Other distributions also failed to ship the extension: I found a user's own attempt to patch RHEL/CentOS at http://patrick.vande-walle.eu/software/ipv6-vulnerability-in-rhel4centos4/
4. The extension is promoted by SixXS and RIPE as the solution to the vunlerability. http://www.ripe.net/ripe/meetings/ripe-54/presentations/IPv6_Routing_Header.pdf
5. http://www.natisbad.org/ has been tracking changes in the Linux kernel that apparently are failing to disable the vulnerability at the kernel level.

This extension should be added immediately and encouraged for deployment.

I have confirmed the module as missing from Ubuntu Feisty

I have created a patch which enables the RT extension. This patch is a one line change, and can be added by anyone.

This does need to get applied to both Ubuntu 6.10 and 7.04.

This is a security problem, and machines without this patch and without the latest kernel version are vulnerable to DoS attacks, and to being a relay of a DoS attack.
Machines without this patch are also totally vulnerable to a particular type of rule bypass attack, where malicious hosts can send packets to hosts that are supposedly protected behind firewalls [1].

[1] http://www.ietf.org/internet-drafts/draft-ietf-v6ops-security-overview-06.txt

Can someone please change this bug to a high importance level. I believe that this needs to be fixed immediately, and so far noone has said any reason why it shouldn't be.

The fix for the kernel is pending and should be published shortly. As for adding the "rt" module, I'm investigating now -- it seems like a good thing to add to iptables.

iptables (1.3.6.0debian1-5ubuntu4) gutsy; urgency=low

  * iptables/extensions/Makefile: enable "rt" module for ip6tables
    (LP: #114184).

 -- Kees Cook <email address hidden> Wed, 04 Jul 2007 03:56:20 -0700

I'm going to get this spun up for an SRU on Dapper through Feisty. It has been added to Gutsy. Thanks for the patch!

SRU proposal:

statement explaining the impact: the missing user-space module is needed to more fully protect IPv6 networks.
how the bug has been addressed: module was included in the list of default modules to compile.
patch: see comment 4.
instructions: run the command "sudo ip6tables -A INPUT -m rt --rt-type 0 -j DROP" and observe the missing shared library error.
discussion: currently the "rt" module is not available at all. regressions could exist if a user uses the "rt" module and it causes unexpected behaviors in the presently un-testable "rt" kernel module.

Confirmed that yesterday's fix in gutsy worked, and patches look appropriate. Please go ahead and upload.

Thanks! I have uploaded them to -proposed.

Accepted into -proposed, please go ahead with QA testing.

iptables (1.3.6.0debian1-5ubuntu2.1) feisty-proposed; urgency=low

  * iptables/extensions/Makefile: enable "rt" module to enhance ip6tables
    matching capabilities. Add 090_enable-ipv6-rt.patch to match inline
    changes (LP: #114184).

 -- Kees Cook <email address hidden> Wed, 04 Jul 2007 16:57:55 -0700

One occasion where changelog-closes-bugs does the wrong thing.

Verifed that iptables version 1.3.3-2ubuntu4.1 works as expected on Dapper.

Verified that iptables version 1.3.5.0debian1-1ubuntu2.1 works as expected on Edgy.

Verified that iptables version 1.3.6.0debian1-5ubuntu2.1 works as expected on Feisty.

This has been in -proposed for >7 days and has passed QA. Please copy from -proposed to -updates.

Copied to feisty-updates.

Copied to edgy-updates.

Copied to dapper-updates.