Michael H. Warfield wrote:
On Sun, 2006-10-08 at 20:36 -0500, Jay Cliburn wrote:
Michael H. Warfield wrote:
On Sun, 2006-10-08 at 13:32 -0500, Jay Cliburn wrote:
Michael H. Warfield wrote:
Hey all,
I've found that the IPv6 state matching is non-functional in FC6.
Oh, and by the way, ip6tables state matching is nonfunctional, period; not just
in Fedora. The Netfilter team hasn't yet implemented state matching in ip6tables.
Strange that it accepts the -m state option to ip6tables then. There
is certainly an libip6t_state.so in /lib/iptables. If it hasn't been
implemented, then what's in that friggen library?
I retract my earlier assertion that state matching is nonfunctional.
[root@osprey iptables]# strings /lib64/iptables/libip6t_state.so | grep state
--state
You must specify `--state'
Bad state `%s'
state
state v%s options:
[!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
state
Now to find out why it doesn't work in rawhide...
Oh... Another point on the curve... This may be a kernel issue. The
rules are getting loaded properly. Here's a dump of the rules from the
system in question:
[root@cabra iptables]# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT ipv6-crypt anywhere anywhere
ACCEPT ipv6-auth anywhere anywhere
ACCEPT udp anywhere ff02::fb/128 udp dpt:mdns
ACCEPT udp anywhere anywhere udp dpt:ipp
ACCEPT tcp anywhere anywhere tcp dpt:ipp
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp anywhere anywhere state NEW tcp dpt:microsoft-ds
ACCEPT tcp anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp anywhere anywhere state NEW tcp dpt:http
DROP all anywhere anywhere
So, apparently, ip6tables was able to set the rules (and list them from
the kernel) with state matching. The problem doesn't appear to be a
user space problem.
I'm building 2.6.19-rc1 as we speak...
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list