ip6tables -m state (match state) not working...

Michael H. Warfield mhw at WittsEnd.com
Mon Oct 9 02:20:02 UTC 2006 

On Sun, 2006-10-08 at 20:36 -0500, Jay Cliburn wrote:
> Michael H. Warfield wrote:
> > On Sun, 2006-10-08 at 13:32 -0500, Jay Cliburn wrote:
> >> Michael H. Warfield wrote:
> >>> Hey all,
> >>>
> >>> 	I've found that the IPv6 state matching is non-functional in FC6.  
> > 
> >> Oh, and by the way, ip6tables state matching is nonfunctional, period; not just 
> >> in Fedora.  The Netfilter team hasn't yet implemented state matching in ip6tables.
> > 
> > 	Strange that it accepts the -m state option to ip6tables then.  There
> > is certainly an libip6t_state.so in /lib/iptables.  If it hasn't been
> > implemented, then what's in that friggen library?
> 
> I retract my earlier assertion that state matching is nonfunctional.
> 
> [root at osprey iptables]# strings /lib64/iptables/libip6t_state.so | grep state
> --state
> You must specify `--state'
> Bad state `%s'
> state
> state v%s options:
>   [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
> state

> Now to find out why it doesn't work in rawhide...

	Oh...  Another point on the curve...  This may be a kernel issue.  The
rules are getting loaded properly.  Here's a dump of the rules from the
system in question:

[root at cabra iptables]# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all      anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all      anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     ipv6-crypt    anywhere             anywhere
ACCEPT     ipv6-auth    anywhere             anywhere
ACCEPT     udp      anywhere             ff02::fb/128       udp dpt:mdns
ACCEPT     udp      anywhere             anywhere           udp dpt:ipp
ACCEPT     tcp      anywhere             anywhere           tcp dpt:ipp
ACCEPT     all      anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:ssh
ACCEPT     udp      anywhere             anywhere           state NEW udp dpt:netbios-ns
ACCEPT     udp      anywhere             anywhere           state NEW udp dpt:netbios-dgm
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:netbios-ssn
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:microsoft-ds
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:https
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:http
DROP       all      anywhere             anywhere

	So, apparently, ip6tables was able to set the rules (and list them from
the kernel) with state matching.  The problem doesn't appear to be a
user space problem.

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20061008/99fc5b28/attachment.sig>

More information about the fedora-test-list mailing list