[SOLVED] Re: ip6tables -m state (match state) not working...

Jay Cliburn jacliburn at bellsouth.net
Thu Oct 12 12:59:19 UTC 2006 

On Thu, Oct 12, 2006 at 02:01:23AM -0400, Dave Jones wrote:
> On Wed, Oct 11, 2006 at 09:20:59PM -0500, Jay Cliburn wrote:
> 
>  > > 	I've found that the IPv6 state matching is non-functional in FC6.  I
>  > > first tried it in Test3 and have just reinstalled the entire system from
>  > > scratch from rawhide and verified it from the latest rawhide.
>  > [snip]
>  > > 	Filed in bugzilla: 209945
>  > > 
>  > > 	https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945
>  > 
>  > This is a kernel configuration issue.  Configure the kernel as follows and 
>  > rebuild it.  After that, ip6tables will honor "-m state".  If you don't build 
>  > the kernel with these options, all IPv6 packets are seen as INVALID by 
>  > netfilter.  (To see this for yourself, set up a log rule matching on "-m state 
>  > INVALID".)
>  > 
>  > Here are the kernel config options:
>  > 
>  > Networking->Networking options->Network packet filtering (replaces 
>  > ipchains)->IP: Netfilter Configuration
>  > 
>  > Unset this option:
>  > < > Connection tracking (required for masq/NAT)
>  > 
>  > Networking->Networking options->Network packet filtering (replaces 
>  > ipchains)->Core Netfilter Configuration
>  > 
>  > Set these options:
>  > <*> Layer 3 Independent Connection tracking (EXPERIMENTAL)
>  > [*]   Connection tracking flow accounting
>  > [*]   Connection mark tracking support
>  > [*]   Connection tracking security mark support
>  > [*]   Connection tracking events (EXPERIMENTAL)
> 
> This is marked EXPERIMENTAL for a reason. It's incomplete for some
> features.  You can only enable this if you disable the old conntrack code.
> >From conversation with the upstream networking folks, enabling this
> will also break NAT.  It'll not be completely usable until at least 2.6.20

Noted, and thank you for the amplifying information.  At least we now know:

a) why IPv6 netfilter state matching doesn't work on as-delivered Fedora;
b) what we need to do to make IPv6 netfilter state matching work;
c) what some of the side effects are.

Prior to now, all we had was an apparent nonfunctioning IPv6 stack when 
the default Fedora ip6tables rules were activated.

Jay

More information about the fedora-test-list mailing list