ip6tables -m state (match state) not working...

Jay Cliburn jacliburn at bellsouth.net
Mon Oct 9 02:22:33 UTC 2006 

Michael H. Warfield wrote:
> On Sun, 2006-10-08 at 20:36 -0500, Jay Cliburn wrote:
>> Michael H. Warfield wrote:
>>> On Sun, 2006-10-08 at 13:32 -0500, Jay Cliburn wrote:
>>>> Michael H. Warfield wrote:
>>>>> Hey all,
>>>>>
>>>>> 	I've found that the IPv6 state matching is non-functional in FC6.  
>>>> Oh, and by the way, ip6tables state matching is nonfunctional, period; not just 
>>>> in Fedora.  The Netfilter team hasn't yet implemented state matching in ip6tables.
>>> 	Strange that it accepts the -m state option to ip6tables then.  There
>>> is certainly an libip6t_state.so in /lib/iptables.  If it hasn't been
>>> implemented, then what's in that friggen library?
>> I retract my earlier assertion that state matching is nonfunctional.
>>
>> [root at osprey iptables]# strings /lib64/iptables/libip6t_state.so | grep state
>> --state
>> You must specify `--state'
>> Bad state `%s'
>> state
>> state v%s options:
>>   [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
>> state
> 
>> Now to find out why it doesn't work in rawhide...
> 
> 	Oh...  Another point on the curve...  This may be a kernel issue.  The
> rules are getting loaded properly.  Here's a dump of the rules from the
> system in question:
> 
> [root at cabra iptables]# ip6tables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all      anywhere             anywhere
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all      anywhere             anywhere
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all      anywhere             anywhere
> ACCEPT     ipv6-icmp    anywhere             anywhere
> ACCEPT     ipv6-crypt    anywhere             anywhere
> ACCEPT     ipv6-auth    anywhere             anywhere
> ACCEPT     udp      anywhere             ff02::fb/128       udp dpt:mdns
> ACCEPT     udp      anywhere             anywhere           udp dpt:ipp
> ACCEPT     tcp      anywhere             anywhere           tcp dpt:ipp
> ACCEPT     all      anywhere             anywhere           state RELATED,ESTABLISHED
> ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:ssh
> ACCEPT     udp      anywhere             anywhere           state NEW udp dpt:netbios-ns
> ACCEPT     udp      anywhere             anywhere           state NEW udp dpt:netbios-dgm
> ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:netbios-ssn
> ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:microsoft-ds
> ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:https
> ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:http
> DROP       all      anywhere             anywhere
> 
> 	So, apparently, ip6tables was able to set the rules (and list them from
> the kernel) with state matching.  The problem doesn't appear to be a
> user space problem.

I'm building 2.6.19-rc1 as we speak...

More information about the test mailing list