[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[SOLVED] Re: ip6tables -m state (match state) not working...



Michael H. Warfield wrote:
Hey all,

	I've found that the IPv6 state matching is non-functional in FC6.  I
first tried it in Test3 and have just reinstalled the entire system from
scratch from rawhide and verified it from the latest rawhide.
[snip]
	Filed in bugzilla: 209945

	https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945

This is a kernel configuration issue. Configure the kernel as follows and rebuild it. After that, ip6tables will honor "-m state". If you don't build the kernel with these options, all IPv6 packets are seen as INVALID by netfilter. (To see this for yourself, set up a log rule matching on "-m state INVALID".)

Here are the kernel config options:

Networking->Networking options->Network packet filtering (replaces ipchains)->IP: Netfilter Configuration

Unset this option:
< > Connection tracking (required for masq/NAT)


Networking->Networking options->Network packet filtering (replaces ipchains)->Core Netfilter Configuration

Set these options:
<*> Layer 3 Independent Connection tracking (EXPERIMENTAL)
[*]   Connection tracking flow accounting
[*]   Connection mark tracking support
[*]   Connection tracking security mark support
[*]   Connection tracking events (EXPERIMENTAL)

Jay


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]