On Wed, Oct 11, 2006 at 09:20:59PM -0500, Jay Cliburn wrote: > > I've found that the IPv6 state matching is non-functional in FC6. I > > first tried it in Test3 and have just reinstalled the entire system from > > scratch from rawhide and verified it from the latest rawhide. > [snip] > > Filed in bugzilla: 209945 > > > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945 > > This is a kernel configuration issue. Configure the kernel as follows and > rebuild it. After that, ip6tables will honor "-m state". If you don't build > the kernel with these options, all IPv6 packets are seen as INVALID by > netfilter. (To see this for yourself, set up a log rule matching on "-m state > INVALID".) > > Here are the kernel config options: > > Networking->Networking options->Network packet filtering (replaces > ipchains)->IP: Netfilter Configuration > > Unset this option: > < > Connection tracking (required for masq/NAT) > > Networking->Networking options->Network packet filtering (replaces > ipchains)->Core Netfilter Configuration > > Set these options: > <*> Layer 3 Independent Connection tracking (EXPERIMENTAL) > [*] Connection tracking flow accounting > [*] Connection mark tracking support > [*] Connection tracking security mark support > [*] Connection tracking events (EXPERIMENTAL) This is marked EXPERIMENTAL for a reason. It's incomplete for some features. You can only enable this if you disable the old conntrack code. >From conversation with the upstream networking folks, enabling this will also break NAT. It'll not be completely usable until at least 2.6.20 Dave -- http://www.codemonkey.org.uk -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list