also sprach Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> [2008.04.04.0100 +0200]: >> This bug I see with 2.6.18 > > Of course, Debian's 2.6.18 does not support IPv6 conntrack. Okay, this is all I was asking in the original mail. Note, however, that the 2.6.18 kernel modules exist and everything can be set up without errors, it then just doesn't work. >> and someone else with 2.6.22. > > Nicolas ? He just wrote he couldn't reproduce it. Okay, I have not tried. >> Or are you saying that if you ping6 from the machine with the >> iptables rules to somewhere else, the echo-reply gets matched by >> RELATED or ESTABLISHED? > > Yes, of course. The outgoing echo request is in the NEW state and > the incoming echo reply is in the ESTABLISHED state. Same with an > incoming echo request. ... except for 2.6.18, where everything seems like that should be the case, but it doesn't work at all. Packets aren't even in the NEW state, it seems. On 2.6.18, I've observed that --state INVALID seems to match *all* IPv6 packets, and NEW,ESTABLISHED,RELATED match *none*. > There must be something wrong with your kernel. Yeah, it's 2.6.18. You have 2.6.20. Apparently conntrack has been worked on. That's all I wanted to know. -- martin | http://madduck.net/ | http://two.sentenc.es/ you can't assign IP address 127.0.0.1 to the loopback adapter, because it is a reserved address for loopback devices. -- micro$oft windoze xp professional spamtraps: madduck.bogus@xxxxxxxxxxx
Attachment:
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
