ICMP type 'beyond-scope' is not supported by the kernel for ipv6.

Support for security such as Firewalls and securing linux
Post Reply
barneybloggs
Posts: 7
Joined: 2017/09/16 15:49:02

ICMP type 'beyond-scope' is not supported by the kernel for ipv6.

Post by barneybloggs » 2018/03/21 11:25:56

Hi all,
I have CentOS Linux release 7.4.1708 (Core)
When I check firewalld status:
::>systemctl status firewalld.service
I see the following warnings
...
Mar 21 10:25:46 localhost.localdomain firewalld[825]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Mar 21 10:25:46 localhost.localdomain firewalld[825]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 21 10:25:46 localhost.localdomain firewalld[825]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Mar 21 10:25:46 localhost.localdomain firewalld[825]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 21 10:25:48 localhost.localdomain firewalld[825]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Mar 21 10:25:48 localhost.localdomain firewalld[825]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.

Ive Google the first warning message and i found this Bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1479951

Whilst the bug does not represent a real problem it has been fixed in minor release rhel-7.5.0

I have a cron job setup to check for yum updates

Mar 21 10:25:37 localhost.localdomain systemd[1]: Starting Run automatic yum updates as a cron job...
Mar 21 10:25:38 localhost.localdomain systemd[1]: Started Run automatic yum updates as a cron job.

The yum update cron job checks for all updates afaik.
I know the dates above are today, but I have been seeing these warnings for a while now.

Yum updates were last applied on 16th March:
Mar 16 23:14:43 Updated: dhcp-libs.x86_64 12:4.2.5-58.el7.centos.3
Mar 16 23:14:44 Updated: dhcp-common.x86_64 12:4.2.5-58.el7.centos.3
Mar 16 23:14:44 Updated: dhclient.x86_64 12:4.2.5-58.el7.centos.3
Mar 16 23:14:59 Updated: firefox.x86_64 52.7.0-1.el7.centos


Is there a fix on the way for this bug in my Centos version?

Regards,
Barneybloggs.

User avatar
avij
Forum Moderator
Posts: 2579
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.

Post by avij » 2018/03/21 13:06:37

You wrote that "it has been fixed in minor release rhel-7.5.0". The tense is incorrect. According to the bz entry, "the fix is planned for upcoming minor release rhel-7.5.0". RHEL 7.5 has not been released yet.

Comment #9 in that bugzilla entry has a workaround. Perhaps it helps.

barneybloggs
Posts: 7
Joined: 2017/09/16 15:49:02

Re: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.

Post by barneybloggs » 2018/03/21 15:50:48

Hi,
Thanks for the reply.I have tried that workaround.
reject-route.xml wasn't in the exact same location on my computer
I found it in /usr/lib/firewalld/icmptypes
root@centsrv icmptypes]# mv reject-route.xml reject-route.xml.bad
[root@centsrv icmptypes]# systemctl restart firewalld.service
[root@centsrv icmptypes]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2018-03-21 15:47:07 GMT; 16s ago
Docs: man:firewalld(1)
Main PID: 2763 (firewalld)
CGroup: /system.slice/firewalld.service
└─2763 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Mar 21 15:47:06 centsrv systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 21 15:47:07 centsrv systemd[1]: Started firewalld - dynamic firewall daemon.
Mar 21 15:47:07 centsrv firewalld[2763]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Mar 21 15:47:07 centsrv firewalld[2763]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 21 15:47:07 centsrv firewalld[2763]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Mar 21 15:47:07 centsrv firewalld[2763]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.

Guess I'll just wait for the patch to be released.

Thanks anyway for the response.

barneybloggs

Post Reply