x_tables userspace

x_tables userspace

[Michal Rokos]

Hello,

now when x_tables are merged one question has to come:

Is there any userspace prog that can manage x_tables? Something like ip46tables?

(All I really want is to finally use ipv6 stateful netfilter. And when
iptables and ip6tables are already merged somewhere it would be
great!)

Thank you.

Michal

Re: x_tables userspace

[Pablo Neira Ayuso]

Michal Rokos wrote:
> now when x_tables are merged one question has to come:
> 
> Is there any userspace prog that can manage x_tables? Something like ip46tables?

No, this does not suppose any change from userspace side. It's just part
 of the ipv4-ipv6 code reunification.

> (All I really want is to finally use ipv6 stateful netfilter. And when
> iptables and ip6tables are already merged somewhere it would be
> great!)

Stateful ipv6 went into 2.6.15, so you can give it a try in this -rc1.
Just check the following boxes:

Network packet filtering (replaces ipchains) ---> Core Netfilter
Configuration  --->  Layer 3 Independent Connection tracking (EXPERIMENTAL)

And then add support for IPv4 and IPv6:

Network packet filtering (replaces ipchains) ---> IP: Netfilter
Configuration --->  IPv4 support for new connection tracking (EXPERIMENTAL)

Network packet filtering (replaces ipchains) ---> IPv6: Netfilter
Configuration (EXPERIMENTAL)  --->  IPv6 support for new connection
tracking (EXPERIMENTAL)

Previously, don't forget to uncheck the old connection tracking support.
Otherwise the IPv6 support won't be available.

-- 
Pablo

Re: x_tables userspace

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1478 bytes --]



On Mon, 16 Jan 2006, Pablo Neira Ayuso wrote:

> Michal Rokos wrote:
>> now when x_tables are merged one question has to come:
>>
>> Is there any userspace prog that can manage x_tables? Something like ip46tables?
>
> No, this does not suppose any change from userspace side. It's just part
> of the ipv4-ipv6 code reunification.
>
>> (All I really want is to finally use ipv6 stateful netfilter. And when
>> iptables and ip6tables are already merged somewhere it would be
>> great!)
>
> Stateful ipv6 went into 2.6.15, so you can give it a try in this -rc1.
> Just check the following boxes:
>
> Network packet filtering (replaces ipchains) ---> Core Netfilter
> Configuration  --->  Layer 3 Independent Connection tracking (EXPERIMENTAL)
>
> And then add support for IPv4 and IPv6:
>
> Network packet filtering (replaces ipchains) ---> IP: Netfilter
> Configuration --->  IPv4 support for new connection tracking (EXPERIMENTAL)
>
> Network packet filtering (replaces ipchains) ---> IPv6: Netfilter
> Configuration (EXPERIMENTAL)  --->  IPv6 support for new connection
> tracking (EXPERIMENTAL)
>
> Previously, don't forget to uncheck the old connection tracking support.
> Otherwise the IPv6 support won't be available.

But for stateful ipv6 you also need userland (iptables) support which is 
still AFAIK not available. And if you enable Layer 3 ICT you will loose 
SNAT/DNAT support for IPv4.

Best regards,

 				Krzysztof Olędzki

Re: x_tables userspace

[Michal Rokos]

Hello,

On 1/16/06, Pablo Neira Ayuso <pablo@eurodev.net> wrote:
> Michal Rokos wrote:
> > now when x_tables are merged one question has to come:
> >
> > Is there any userspace prog that can manage x_tables? Something like ip46tables?
> No, this does not suppose any change from userspace side. It's just part
>  of the ipv4-ipv6 code reunification.

Well - there should be any userspace that does the same as ipt_match
or ipt_conntrack.

> > (All I really want is to finally use ipv6 stateful netfilter. And when
> > iptables and ip6tables are already merged somewhere it would be
> > great!)
>
> Stateful ipv6 went into 2.6.15, so you can give it a try in this -rc1.
> Just check the following boxes:
[snip]

Sure I have from the very beginning.... I even altered ipt_match to do
the same for ip6t (it's just a s/ip/ip6/), but I hate it. I'm looking
for something that can handle ip4 and ip6 without having 2 binaries
with very common codebase...

M.

Re: x_tables userspace

[Michal Rokos]

Hello,

On 1/16/06, Krzysztof Oledzki <olenf@ans.pl> wrote:
> But for stateful ipv6 you also need userland (iptables) support which is
> still AFAIK not available. And if you enable Layer 3 ICT you will loose
> SNAT/DNAT support for IPv4.

Very true!

For SNAT/DNAT - I don't need it now. I'm aware that it's not working
with L3-conntrack.

M.

PS: Have your progs that read /proc/net/if_inet6 stopped working too?
In recent git kernels I have:
$ cat /proc/net/if_inet6
fe80:0000:0000:0000:0214:a5ff:fe27:9306 03 40 20 80    wlan0
0000:0000:0000:0000:0000:0000:0000:0001 01 80 10 80       lo
but before it was:
$ cat /proc/net/if_inet6
fe800000000000000214a5fffe279306 03 40 20 80    wlan0
00000000000000000000000000000001 01 80 10 80       lo
and the result is that nothing can handle ip6 now (postfix, ifconfig, etc)

Re: x_tables userspace

[YOSHIFUJI Hideaki / 吉藤英明]

In article <333e1ca10601161208r6593dcd0kc40b1b8322477dcf@mail.gmail.com> (at Mon, 16 Jan 2006 21:08:40 +0100), Michal Rokos <michal.rokos@gmail.com> says:

> PS: Have your progs that read /proc/net/if_inet6 stopped working too?
> In recent git kernels I have:
> $ cat /proc/net/if_inet6
> fe80:0000:0000:0000:0214:a5ff:fe27:9306 03 40 20 80    wlan0
> 0000:0000:0000:0000:0000:0000:0000:0001 01 80 10 80       lo
> but before it was:
> $ cat /proc/net/if_inet6
> fe800000000000000214a5fffe279306 03 40 20 80    wlan0
> 00000000000000000000000000000001 01 80 10 80       lo
> and the result is that nothing can handle ip6 now (postfix, ifconfig, etc)

Patch already available to fix the format.
People should be more careful about API....  sigh...

--yoshfuji

Re: x_tables userspace

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1648 bytes --]

On Mon, Jan 16, 2006 at 09:01:18PM +0100, Michal Rokos wrote:
> Hello,
> 
> On 1/16/06, Pablo Neira Ayuso <pablo@eurodev.net> wrote:
> > Michal Rokos wrote:
> > > now when x_tables are merged one question has to come:
> > >
> > > Is there any userspace prog that can manage x_tables? Something like ip46tables?
> > No, this does not suppose any change from userspace side. It's just part
> >  of the ipv4-ipv6 code reunification.
> 
> Well - there should be any userspace that does the same as ipt_match
> or ipt_conntrack.

yes, there should.  However, it's a terrible amount of work.  I'm at it,
and it's already some 5000 line patch, and I'm not even finished with
IPv4 alone.

I don't see any reason to rush this, I'm fine when it is finished when
2.6.16 is released.

We can verify that the kernel code is fine by using existing
ip(6)tables.

Maybe later today I'll start an iptables-1.4.x branch in svn - but don't
expect it to work.

> Sure I have from the very beginning.... I even altered ipt_match to do
> the same for ip6t (it's just a s/ip/ip6/), but I hate it. I'm looking
> for something that can handle ip4 and ip6 without having 2 binaries
> with very common codebase...

yes, it will be available.  Please just wait a bit...

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]