Michael H. Warfield wrote:
Hey all,
I've found that the IPv6 state matching is non-functional in FC6. I
first tried it in Test3 and have just reinstalled the entire system from
scratch from rawhide and verified it from the latest rawhide.
[snip]
Filed in bugzilla: 209945
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945
This is a kernel configuration issue. Configure the kernel as follows and
rebuild it. After that, ip6tables will honor "-m state". If you don't build
the kernel with these options, all IPv6 packets are seen as INVALID by
netfilter. (To see this for yourself, set up a log rule matching on "-m state
INVALID".)
Here are the kernel config options:
Networking->Networking options->Network packet filtering (replaces
ipchains)->IP: Netfilter Configuration
Unset this option:
< > Connection tracking (required for masq/NAT)
Networking->Networking options->Network packet filtering (replaces
ipchains)->Core Netfilter Configuration
Set these options:
<*> Layer 3 Independent Connection tracking (EXPERIMENTAL)
[*] Connection tracking flow accounting
[*] Connection mark tracking support
[*] Connection tracking security mark support
[*] Connection tracking events (EXPERIMENTAL)
Jay
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list