ip6tables -m state (match state) not working...
Michael H. Warfield
mhw at WittsEnd.com
Mon Oct 9 02:20:02 UTC 2006
On Sun, 2006-10-08 at 20:36 -0500, Jay Cliburn wrote:
> Michael H. Warfield wrote:
> > On Sun, 2006-10-08 at 13:32 -0500, Jay Cliburn wrote:
> >> Michael H. Warfield wrote:
> >>> Hey all,
> >>>
> >>> I've found that the IPv6 state matching is non-functional in FC6.
> >
> >> Oh, and by the way, ip6tables state matching is nonfunctional, period; not just
> >> in Fedora. The Netfilter team hasn't yet implemented state matching in ip6tables.
> >
> > Strange that it accepts the -m state option to ip6tables then. There
> > is certainly an libip6t_state.so in /lib/iptables. If it hasn't been
> > implemented, then what's in that friggen library?
>
> I retract my earlier assertion that state matching is nonfunctional.
>
> [root at osprey iptables]# strings /lib64/iptables/libip6t_state.so | grep state
> --state
> You must specify `--state'
> Bad state `%s'
> state
> state v%s options:
> [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
> state
> Now to find out why it doesn't work in rawhide...
Oh... Another point on the curve... This may be a kernel issue. The
rules are getting loaded properly. Here's a dump of the rules from the
system in question:
[root at cabra iptables]# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT ipv6-crypt anywhere anywhere
ACCEPT ipv6-auth anywhere anywhere
ACCEPT udp anywhere ff02::fb/128 udp dpt:mdns
ACCEPT udp anywhere anywhere udp dpt:ipp
ACCEPT tcp anywhere anywhere tcp dpt:ipp
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp anywhere anywhere state NEW tcp dpt:microsoft-ds
ACCEPT tcp anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp anywhere anywhere state NEW tcp dpt:http
DROP all anywhere anywhere
So, apparently, ip6tables was able to set the rules (and list them from
the kernel) with state matching. The problem doesn't appear to be a
user space problem.
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20061008/99fc5b28/attachment.bin
More information about the test
mailing list