[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [SOLVED] Re: ip6tables -m state (match state) not working...



On Thu, Oct 12, 2006 at 02:01:23AM -0400, Dave Jones wrote:
> On Wed, Oct 11, 2006 at 09:20:59PM -0500, Jay Cliburn wrote:
> 
>  > > 	I've found that the IPv6 state matching is non-functional in FC6.  I
>  > > first tried it in Test3 and have just reinstalled the entire system from
>  > > scratch from rawhide and verified it from the latest rawhide.
>  > [snip]
>  > > 	Filed in bugzilla: 209945
>  > > 
>  > > 	https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945
>  > 
>  > This is a kernel configuration issue.  Configure the kernel as follows and 
>  > rebuild it.  After that, ip6tables will honor "-m state".  If you don't build 
>  > the kernel with these options, all IPv6 packets are seen as INVALID by 
>  > netfilter.  (To see this for yourself, set up a log rule matching on "-m state 
>  > INVALID".)
>  > 
>  > Here are the kernel config options:
>  > 
>  > Networking->Networking options->Network packet filtering (replaces 
>  > ipchains)->IP: Netfilter Configuration
>  > 
>  > Unset this option:
>  > < > Connection tracking (required for masq/NAT)
>  > 
>  > Networking->Networking options->Network packet filtering (replaces 
>  > ipchains)->Core Netfilter Configuration
>  > 
>  > Set these options:
>  > <*> Layer 3 Independent Connection tracking (EXPERIMENTAL)
>  > [*]   Connection tracking flow accounting
>  > [*]   Connection mark tracking support
>  > [*]   Connection tracking security mark support
>  > [*]   Connection tracking events (EXPERIMENTAL)
> 
> This is marked EXPERIMENTAL for a reason. It's incomplete for some
> features.  You can only enable this if you disable the old conntrack code.
> >From conversation with the upstream networking folks, enabling this
> will also break NAT.  It'll not be completely usable until at least 2.6.20

Noted, and thank you for the amplifying information.  At least we now know:

a) why IPv6 netfilter state matching doesn't work on as-delivered Fedora;
b) what we need to do to make IPv6 netfilter state matching work;
c) what some of the side effects are.

Prior to now, all we had was an apparent nonfunctioning IPv6 stack when 
the default Fedora ip6tables rules were activated.

Jay 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]