[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ip6tables -m state (match state) not working...



Michael H. Warfield wrote:
On Sun, 2006-10-08 at 20:36 -0500, Jay Cliburn wrote:
Michael H. Warfield wrote:
On Sun, 2006-10-08 at 13:32 -0500, Jay Cliburn wrote:
Michael H. Warfield wrote:
Hey all,

I've found that the IPv6 state matching is non-functional in FC6.
Oh, and by the way, ip6tables state matching is nonfunctional, period; not just in Fedora. The Netfilter team hasn't yet implemented state matching in ip6tables.
	Strange that it accepts the -m state option to ip6tables then.  There
is certainly an libip6t_state.so in /lib/iptables.  If it hasn't been
implemented, then what's in that friggen library?
I retract my earlier assertion that state matching is nonfunctional.

[root osprey iptables]# strings /lib64/iptables/libip6t_state.so | grep state
--state
You must specify `--state'
Bad state `%s'
state
state v%s options:
  [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
state

Now to find out why it doesn't work in rawhide...

	Oh...  Another point on the curve...  This may be a kernel issue.  The
rules are getting loaded properly.  Here's a dump of the rules from the
system in question:

[root cabra iptables]# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all      anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all      anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     ipv6-crypt    anywhere             anywhere
ACCEPT     ipv6-auth    anywhere             anywhere
ACCEPT     udp      anywhere             ff02::fb/128       udp dpt:mdns
ACCEPT     udp      anywhere             anywhere           udp dpt:ipp
ACCEPT     tcp      anywhere             anywhere           tcp dpt:ipp
ACCEPT     all      anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:ssh
ACCEPT     udp      anywhere             anywhere           state NEW udp dpt:netbios-ns
ACCEPT     udp      anywhere             anywhere           state NEW udp dpt:netbios-dgm
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:netbios-ssn
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:microsoft-ds
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:https
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:http
DROP       all      anywhere             anywhere

	So, apparently, ip6tables was able to set the rules (and list them from
the kernel) with state matching.  The problem doesn't appear to be a
user space problem.

I'm building 2.6.19-rc1 as we speak...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]