also sprach Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> [2008.04.03.1707 +0200]: > I'm not sure what you both mean. I tested the IPv6 conntrack on vanilla > 2.6.20 and 2.6.24 kernels built from kernel.org sources and everything > worked as expected : I agree, it works if you don't have INVALID at all, but try: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state NEW -j in-new and this will match echo-requests on my 2.6.24. echo-replies get matched by the first rule, but echo-requests should be NEW, not INVALID. > I do not see a reason why 2.6.22 would behave differently. Maybe > there is something special in Debian kernels ? This bug I see with 2.6.18 and someone else with 2.6.22. It's a different issue than what this thread is about: that pre-2.6.24 kernels don't seem to register OUTGOING packets in the connection table. Or are you saying that if you ping6 from the machine with the iptables rules to somewhere else, the echo-reply gets matched by RELATED or ESTABLISHED? Because it certainly does *not* here. $ ping6 ipv6.aerasec.de(2001:a60:9002:1::184:1) yields: [INPUT6]: IN=eth2 OUT= MAC=00:16:3e:46:5a:86:00:0e:d6:b8:dc:1b:86:dd SRC=2001:0a60:9002:0001:0000:0000:0184:0001 DST=2001:1620:2004:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=34094 SEQ=1 which is logged after falling through the end of the chain and *not* being matched by ESTABLISHED,RELATED. Note that the source address is the same as the destination address to which I sent the echo-request. If I do the same from a 2.6.24 machine, it works, meaning the echo-reply is matched by ESTABLISHED,RELATED and accepted. -- martin | http://madduck.net/ | http://two.sentenc.es/ "all language designers are arrogant. goes with the territory..." -- larry wall spamtraps: madduck.bogus@xxxxxxxxxxx
Attachment:
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
