[SOLVED] Re: ip6tables -m state (match state) not working...

Michael H. Warfield mhw at WittsEnd.com
Thu Oct 12 16:50:46 UTC 2006 

On Thu, 2006-10-12 at 02:01 -0400, Dave Jones wrote:
> On Wed, Oct 11, 2006 at 09:20:59PM -0500, Jay Cliburn wrote:

>  > > 	I've found that the IPv6 state matching is non-functional in FC6.  I
>  > > first tried it in Test3 and have just reinstalled the entire system from
>  > > scratch from rawhide and verified it from the latest rawhide.
>  > [snip]
>  > > 	Filed in bugzilla: 209945
>  > > 
>  > > 	https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945
>  > 
>  > This is a kernel configuration issue.  Configure the kernel as follows and 
>  > rebuild it.  After that, ip6tables will honor "-m state".  If you don't build 
>  > the kernel with these options, all IPv6 packets are seen as INVALID by 
>  > netfilter.  (To see this for yourself, set up a log rule matching on "-m state 
>  > INVALID".)
>  > 
>  > Here are the kernel config options:
>  > 
>  > Networking->Networking options->Network packet filtering (replaces 
>  > ipchains)->IP: Netfilter Configuration
>  > 
>  > Unset this option:
>  > < > Connection tracking (required for masq/NAT)
>  > 
>  > Networking->Networking options->Network packet filtering (replaces 
>  > ipchains)->Core Netfilter Configuration
>  > 
>  > Set these options:
>  > <*> Layer 3 Independent Connection tracking (EXPERIMENTAL)
>  > [*]   Connection tracking flow accounting
>  > [*]   Connection mark tracking support
>  > [*]   Connection tracking security mark support
>  > [*]   Connection tracking events (EXPERIMENTAL)

> This is marked EXPERIMENTAL for a reason. It's incomplete for some
> features.  You can only enable this if you disable the old conntrack code.
> >From conversation with the upstream networking folks, enabling this
> will also break NAT.  It'll not be completely usable until at least 2.6.20

	Cool!  That's good to know.  Now I can stop digging through kernel and
iptables sources.  :-)

	I trust then that the default IPv6 firewall logic/rules for FC6 will be
modified to avoid this behavior until such time as it becomes fully
functional?  Right now it's seriously broken OOB (out of the box) and
leaves the entire IPv6 networking non-functional.

> 		Dave

	Thanks!

	Regards,
	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20061012/c8688c62/attachment.sig>

More information about the fedora-test-list mailing list