On Sun, 2006-10-08 at 20:36 -0500, Jay Cliburn wrote: > Michael H. Warfield wrote: > > On Sun, 2006-10-08 at 13:32 -0500, Jay Cliburn wrote: > >> Michael H. Warfield wrote: > >>> Hey all, > >>> > >>> I've found that the IPv6 state matching is non-functional in FC6. > > > >> Oh, and by the way, ip6tables state matching is nonfunctional, period; not just > >> in Fedora. The Netfilter team hasn't yet implemented state matching in ip6tables. > > > > Strange that it accepts the -m state option to ip6tables then. There > > is certainly an libip6t_state.so in /lib/iptables. If it hasn't been > > implemented, then what's in that friggen library? > > I retract my earlier assertion that state matching is nonfunctional. > > [root osprey iptables]# strings /lib64/iptables/libip6t_state.so | grep state > --state > You must specify `--state' > Bad state `%s' > state > state v%s options: > [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...] > state > Now to find out why it doesn't work in rawhide... Oh... Another point on the curve... This may be a kernel issue. The rules are getting loaded properly. Here's a dump of the rules from the system in question: [root cabra iptables]# ip6tables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all anywhere anywhere ACCEPT ipv6-icmp anywhere anywhere ACCEPT ipv6-crypt anywhere anywhere ACCEPT ipv6-auth anywhere anywhere ACCEPT udp anywhere ff02::fb/128 udp dpt:mdns ACCEPT udp anywhere anywhere udp dpt:ipp ACCEPT tcp anywhere anywhere tcp dpt:ipp ACCEPT all anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh ACCEPT udp anywhere anywhere state NEW udp dpt:netbios-ns ACCEPT udp anywhere anywhere state NEW udp dpt:netbios-dgm ACCEPT tcp anywhere anywhere state NEW tcp dpt:netbios-ssn ACCEPT tcp anywhere anywhere state NEW tcp dpt:microsoft-ds ACCEPT tcp anywhere anywhere state NEW tcp dpt:https ACCEPT tcp anywhere anywhere state NEW tcp dpt:http DROP all anywhere anywhere So, apparently, ip6tables was able to set the rules (and list them from the kernel) with state matching. The problem doesn't appear to be a user space problem. Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw WittsEnd com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Description: This is a digitally signed message part