On Thu, Oct 12, 2006 at 02:01:23AM -0400, Dave Jones wrote: > On Wed, Oct 11, 2006 at 09:20:59PM -0500, Jay Cliburn wrote: > > > > I've found that the IPv6 state matching is non-functional in FC6. I > > > first tried it in Test3 and have just reinstalled the entire system from > > > scratch from rawhide and verified it from the latest rawhide. > > [snip] > > > Filed in bugzilla: 209945 > > > > > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945 > > > > This is a kernel configuration issue. Configure the kernel as follows and > > rebuild it. After that, ip6tables will honor "-m state". If you don't build > > the kernel with these options, all IPv6 packets are seen as INVALID by > > netfilter. (To see this for yourself, set up a log rule matching on "-m state > > INVALID".) > > > > Here are the kernel config options: > > > > Networking->Networking options->Network packet filtering (replaces > > ipchains)->IP: Netfilter Configuration > > > > Unset this option: > > < > Connection tracking (required for masq/NAT) > > > > Networking->Networking options->Network packet filtering (replaces > > ipchains)->Core Netfilter Configuration > > > > Set these options: > > <*> Layer 3 Independent Connection tracking (EXPERIMENTAL) > > [*] Connection tracking flow accounting > > [*] Connection mark tracking support > > [*] Connection tracking security mark support > > [*] Connection tracking events (EXPERIMENTAL) > > This is marked EXPERIMENTAL for a reason. It's incomplete for some > features. You can only enable this if you disable the old conntrack code. > >From conversation with the upstream networking folks, enabling this > will also break NAT. It'll not be completely usable until at least 2.6.20 Noted, and thank you for the amplifying information. At least we now know: a) why IPv6 netfilter state matching doesn't work on as-delivered Fedora; b) what we need to do to make IPv6 netfilter state matching work; c) what some of the side effects are. Prior to now, all we had was an apparent nonfunctioning IPv6 stack when the default Fedora ip6tables rules were activated. Jay -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list