commit 5e0b34d6492109e5039cb367a97a1a4564a1c545
Author: Jiri Popelka <jpopelka@redhat.com>
Date:   Wed Dec 3 18:28:17 2014 +0100

    Don't use ipv6header for protocol matching. (RHBZ#1065565)
    
    for example
    ip6tables -m ipv6header --header tcp -j ACCEPT
    doesn't work even iptables-extensions(8) claims:
    'A protocol name from /etc/protocols and numeric value also allowed.'
    
    It might be a bug in iptables, but I think using ipv6header just for
    protocol matching is overkill anyway and using --protocol should be fine.

diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index cb7b7c9..ed6e995 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -798,10 +798,7 @@ class FirewallZone:
                     if proto in [ "tcp", "udp" ]:
                         command += [ "-m", proto, "-p", proto ]
                     else:
-                        if ipv == "ipv4":
-                            command += [ "-p", proto ]
-                        else:
-                            command += [ "-m", "ipv6header", "--header", proto ]
+                        command += [ "-p", proto ]
                     if port:
                         command += [ "--dport", "%s" % portStr(port) ]
                     if ipv in svc.destination and svc.destination[ipv] != "":
@@ -1092,10 +1089,7 @@ class FirewallZone:
                 if proto in [ "tcp", "udp" ]:
                     rule += [ "-m", proto, "-p", proto ]
                 else:
-                    if ipv == "ipv4":
-                        rule += [ "-p", proto ]
-                    else:
-                        rule += [ "-m", "ipv6header", "--header", proto ]
+                    rule += [ "-p", proto ]
                 if port:
                     rule += [ "--dport", "%s" % portStr(port) ]
                 if ipv in svc.destination and svc.destination[ipv] != "":