ip6tables -m state (match state) not working...
Jay Cliburn
jacliburn at bellsouth.net
Mon Oct 9 02:22:33 UTC 2006
Michael H. Warfield wrote:
> On Sun, 2006-10-08 at 20:36 -0500, Jay Cliburn wrote:
>> Michael H. Warfield wrote:
>>> On Sun, 2006-10-08 at 13:32 -0500, Jay Cliburn wrote:
>>>> Michael H. Warfield wrote:
>>>>> Hey all,
>>>>>
>>>>> I've found that the IPv6 state matching is non-functional in FC6.
>>>> Oh, and by the way, ip6tables state matching is nonfunctional, period; not just
>>>> in Fedora. The Netfilter team hasn't yet implemented state matching in ip6tables.
>>> Strange that it accepts the -m state option to ip6tables then. There
>>> is certainly an libip6t_state.so in /lib/iptables. If it hasn't been
>>> implemented, then what's in that friggen library?
>> I retract my earlier assertion that state matching is nonfunctional.
>>
>> [root at osprey iptables]# strings /lib64/iptables/libip6t_state.so | grep state
>> --state
>> You must specify `--state'
>> Bad state `%s'
>> state
>> state v%s options:
>> [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
>> state
>
>> Now to find out why it doesn't work in rawhide...
>
> Oh... Another point on the curve... This may be a kernel issue. The
> rules are getting loaded properly. Here's a dump of the rules from the
> system in question:
>
> [root at cabra iptables]# ip6tables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all anywhere anywhere
> ACCEPT ipv6-icmp anywhere anywhere
> ACCEPT ipv6-crypt anywhere anywhere
> ACCEPT ipv6-auth anywhere anywhere
> ACCEPT udp anywhere ff02::fb/128 udp dpt:mdns
> ACCEPT udp anywhere anywhere udp dpt:ipp
> ACCEPT tcp anywhere anywhere tcp dpt:ipp
> ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh
> ACCEPT udp anywhere anywhere state NEW udp dpt:netbios-ns
> ACCEPT udp anywhere anywhere state NEW udp dpt:netbios-dgm
> ACCEPT tcp anywhere anywhere state NEW tcp dpt:netbios-ssn
> ACCEPT tcp anywhere anywhere state NEW tcp dpt:microsoft-ds
> ACCEPT tcp anywhere anywhere state NEW tcp dpt:https
> ACCEPT tcp anywhere anywhere state NEW tcp dpt:http
> DROP all anywhere anywhere
>
> So, apparently, ip6tables was able to set the rules (and list them from
> the kernel) with state matching. The problem doesn't appear to be a
> user space problem.
I'm building 2.6.19-rc1 as we speak...
More information about the test
mailing list