Re: ip6tables -m state (match state) not working...

[Jay Cliburn <jacliburn@xxxxxxxxxxxxx>]

Michael H. Warfield wrote:
> On Sun, 2006-10-08 at 20:36 -0500, Jay Cliburn wrote:
> > Michael H. Warfield wrote:
> > > On Sun, 2006-10-08 at 13:32 -0500, Jay Cliburn wrote:
> > > > Michael H. Warfield wrote:
> > > > > Hey all,
> > > > >
> > > > > 	I've found that the IPv6 state matching is non-functional in FC6.  
> > > > Oh, and by the way, ip6tables state matching is nonfunctional, period; not just 
> > > > in Fedora.  The Netfilter team hasn't yet implemented state matching in ip6tables.
> > > 	Strange that it accepts the -m state option to ip6tables then.  There
> > > is certainly an libip6t_state.so in /lib/iptables.  If it hasn't been
> > > implemented, then what's in that friggen library?
> > I retract my earlier assertion that state matching is nonfunctional.
> >
> > [root@osprey iptables]# strings /lib64/iptables/libip6t_state.so | grep state
> > --state
> > You must specify `--state'
> > Bad state `%s'
> > state
> > state v%s options:
> >   [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
> > state
>
> > Now to find out why it doesn't work in rawhide...
>
> 	Oh...  Another point on the curve...  This may be a kernel issue.  The
> rules are getting loaded properly.  Here's a dump of the rules from the
> system in question:
>
> [root@cabra iptables]# ip6tables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all      anywhere             anywhere
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all      anywhere             anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all      anywhere             anywhere
> ACCEPT     ipv6-icmp    anywhere             anywhere
> ACCEPT     ipv6-crypt    anywhere             anywhere
> ACCEPT     ipv6-auth    anywhere             anywhere
> ACCEPT     udp      anywhere             ff02::fb/128       udp dpt:mdns
> ACCEPT     udp      anywhere             anywhere           udp dpt:ipp
> ACCEPT     tcp      anywhere             anywhere           tcp dpt:ipp
> ACCEPT     all      anywhere             anywhere           state RELATED,ESTABLISHED
> ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:ssh
> ACCEPT     udp      anywhere             anywhere           state NEW udp dpt:netbios-ns
> ACCEPT     udp      anywhere             anywhere           state NEW udp dpt:netbios-dgm
> ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:netbios-ssn
> ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:microsoft-ds
> ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:https
> ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:http
> DROP       all      anywhere             anywhere
>
> 	So, apparently, ip6tables was able to set the rules (and list them from
> the kernel) with state matching.  The problem doesn't appear to be a
> user space problem.

I'm building 2.6.19-rc1 as we speak...

--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-test-list