[SOLVED] Re: ip6tables -m state (match state) not working...
Jay Cliburn
jacliburn at bellsouth.net
Thu Oct 12 02:20:59 UTC 2006
Michael H. Warfield wrote:
> Hey all,
>
> I've found that the IPv6 state matching is non-functional in FC6. I
> first tried it in Test3 and have just reinstalled the entire system from
> scratch from rawhide and verified it from the latest rawhide.
[snip]
> Filed in bugzilla: 209945
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945
This is a kernel configuration issue. Configure the kernel as follows and
rebuild it. After that, ip6tables will honor "-m state". If you don't build
the kernel with these options, all IPv6 packets are seen as INVALID by
netfilter. (To see this for yourself, set up a log rule matching on "-m state
INVALID".)
Here are the kernel config options:
Networking->Networking options->Network packet filtering (replaces
ipchains)->IP: Netfilter Configuration
Unset this option:
< > Connection tracking (required for masq/NAT)
Networking->Networking options->Network packet filtering (replaces
ipchains)->Core Netfilter Configuration
Set these options:
<*> Layer 3 Independent Connection tracking (EXPERIMENTAL)
[*] Connection tracking flow accounting
[*] Connection mark tracking support
[*] Connection tracking security mark support
[*] Connection tracking events (EXPERIMENTAL)
Jay
More information about the test
mailing list