[SOLVED] Re: ip6tables -m state (match state) not working...
Dave Jones
davej at redhat.com
Thu Oct 12 06:01:23 UTC 2006
On Wed, Oct 11, 2006 at 09:20:59PM -0500, Jay Cliburn wrote:
> > I've found that the IPv6 state matching is non-functional in FC6. I
> > first tried it in Test3 and have just reinstalled the entire system from
> > scratch from rawhide and verified it from the latest rawhide.
> [snip]
> > Filed in bugzilla: 209945
> >
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945
>
> This is a kernel configuration issue. Configure the kernel as follows and
> rebuild it. After that, ip6tables will honor "-m state". If you don't build
> the kernel with these options, all IPv6 packets are seen as INVALID by
> netfilter. (To see this for yourself, set up a log rule matching on "-m state
> INVALID".)
>
> Here are the kernel config options:
>
> Networking->Networking options->Network packet filtering (replaces
> ipchains)->IP: Netfilter Configuration
>
> Unset this option:
> < > Connection tracking (required for masq/NAT)
>
> Networking->Networking options->Network packet filtering (replaces
> ipchains)->Core Netfilter Configuration
>
> Set these options:
> <*> Layer 3 Independent Connection tracking (EXPERIMENTAL)
> [*] Connection tracking flow accounting
> [*] Connection mark tracking support
> [*] Connection tracking security mark support
> [*] Connection tracking events (EXPERIMENTAL)
This is marked EXPERIMENTAL for a reason. It's incomplete for some
features. You can only enable this if you disable the old conntrack code.
>From conversation with the upstream networking folks, enabling this
will also break NAT. It'll not be completely usable until at least 2.6.20
Dave
--
http://www.codemonkey.org.uk
More information about the fedora-test-list
mailing list