RE: [Fwd: RE: ipv6 link local address]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Okay, I finally figured it out.  I've successfully tested ipv6 bridged-frame filtering, and all is right with the world of Bob.

My method to get the ipv6 support to go away was to set /etc/sysctl.conf like so:

-----
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.eth1.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 0
-----

ipv6 support is still present in the kernel, but the individual interfaces do not support.  The only functionality I seem to have lost is physical interface information in the ip6tables logs, but that's not really even worth investigating at this point in time.

By the way, putting drops in mangle is a pretty nefarious way to make sure none of them bridge as well.  It took me a bit of head scratching to turn that back around when I decided I was ready to test ipv6 filtering.

Anyway thanks, all, for your time.



Bob McDowell
Network/Security Engineer 
Cox HealthPlans 

-----Original Message-----
From: Nikolay S. [mailto:nowhere@xxxxxxxxxxxxxxxx] 
Sent: Tuesday, June 07, 2011 9:35 AM
To: Bob McDowell
Cc: netfilter@xxxxxxxxxxxxxxx
Subject: [Fwd: RE: ipv6 link local address]

-------- ÐÐÑÐÑÑÐÐÐÐÐÐ ÑÐÐÐÑÐÐÐÐ --------
> ÐÑ: Nikolay S. <nowhere@xxxxxxxxxxxxxxxx>
> ÐÐÐÑ: bmcdowell@xxxxxxxxxxxxxxxxxx
> ÐÐÐÐÑ: netfilter@xxxxxxxxxxxxxxx
> ÐÐÐÐ: RE: ipv6 link local address
> ÐÐÑÐ: 	Tue, 07 Jun 2011 18:32:56 +0400
> 
> Ð ÐÑÑ, 07/06/2011 Ð 14:26 +0000, bmcdowell@xxxxxxxxxxxxxxxxxx ÐÐÑÐÑ:
> > I'm sorry, but that didn't parse.
> > 
> > I won't, what?
> > 
> > Skb's?
> 
> Ability to filter bridged frames with ip6tables :)

Sorry again :)
You will not loose ability to filter bridged frames with ip6tables.

> 
> > 
> > 
> > Bob McDowell
> > Network/Security Engineer 
> > Cox HealthPlans 
> > 
> > -----Original Message-----
> > From: Nikolay S. [mailto:nowhere@xxxxxxxxxxxxxxxx] 
> > Sent: Tuesday, June 07, 2011 9:24 AM
> > To: Bob McDowell
> > Cc: netfilter@xxxxxxxxxxxxxxx
> > Subject: RE: ipv6 link local address
> > 
> > Ð ÐÑÑ, 07/06/2011 Ð 12:44 +0000, bmcdowell@xxxxxxxxxxxxxxxxxx ÐÐÑÐÑ:
> > > Please understand that I do want to be able to use ip6tables to filter forwarded traffic.  I just do not want the interfaces speaking to anyone while they're doing their job.
> > > 
> > > Perhaps this example can explain it better than I have:  http://www.sjdjweis.com/linux/bridging/
> > > 
> > > 
> > > Thanks again.
> > > 
> > 
> > You won't. skb's are passed to ip6tables from bridge based on ipv6-
> > header, not the state of the protocol on slave device. And bridge itself
> > does not filter incoming frames by L3-header.
> > 
> > > 
> > > Bob McDowell
> > > Network/Security Engineer 
> > > Cox HealthPlans 
> > > 
> > > 
> > > -----Original Message-----
> > > From: Nikolay S. [mailto:nowhere@xxxxxxxxxxxxxxxx] 
> > > Sent: Tuesday, June 07, 2011 1:44 AM
> > > To: Bob McDowell
> > > Cc: netfilter@xxxxxxxxxxxxxxx
> > > Subject: Re: ipv6 link local address
> > > 
> > > 
> > > You can turn off ipv6 on interfaces. This should not prevent bridging
> > > ipv6, but will remove any ipv6 logic from them.
> > > 
> > > 
> > 
> > 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


ÿô.nlj·Ÿ®‰­†+%ŠË±é¥Šwÿº{.nlj·§z×–×þ)íèjg¬±¨¶‰šŽŠÝjÿ¾«þG«é¸¢·¦j:+v‰¨Šwèm¶Ÿÿþø®w¥þŠà£¢·hšâÿ†Ù
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux