On Thu, 11 Jul 2013, Pablo Neira Ayuso wrote: > On Thu, Jul 11, 2013 at 12:08:20AM +0200, Pablo Neira Ayuso wrote: > > On Wed, Jul 10, 2013 at 05:58:15AM -0400, Bill Fink wrote: > > > Almost there. With the above patch, I now successfully get > > > IPv6 expectations on the backup firewall. Unfortunately they're > > > not quite right. On the backup firewall, the expectation src-IP > > > is the same as the dst-IP (either IPv4 or IPv6). > > > > > > Primary firewall: > > > > > > [root@sen-fw1 linux-3.7.3-101.fc17.x86_64]# conntrack -L expect > > > 251 proto=6 src=192.168.218.199 dst=192.168.28.198 sport=0 dport=54705 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.218.199 master-dst=192.168.28.198 sport=56877 dport=21 class=0 helper=ftp > > > conntrack v1.4.0 (conntrack-tools): 1 expectations have been shown. > > > > > > Backup firewall: > > > > > > [root@sen-fw2 linux-3.7.3-101.fc17.x86_64]# conntrack -L expect > > > 245 proto=6 src=192.168.28.198 dst=192.168.28.198 sport=0 dport=54705 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.218.199 master-dst=192.168.28.198 sport=56877 dport=21 class=0 helper=ftp > > > conntrack v1.4.0 (conntrack-tools): 1 expectations have been shown. > > > > > > This was an unfortunate side affect of the patch to fix the > > > conntrackd segfault problem. If I use Florian's version > > > of the fix segfault patch rather than Pablo's then all is > > > good. > > > > Thanks for the information, however, we still need to get working back > > the filtering support. > > > > Could you give a try to the following patch, please? > > > > It applies on top of conntrack-tools master branch, thanks. > > There are still some downsides in the previous solution, please, give > a try to this patch instead. The firewalls are now in production, so I don't have the same freedom I did previously. I'll check the patch out sometime after hours. Normally, this weekend would be a good time, but I'm going to be away this weekend. So it might be a few days until I get a chance. Thanks again for all your (and Florian's) great help! -Bill -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
