From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter discussion list <netfilter@vger.kernel.org>
Subject: Re: ip6tables icmp conntracking on 2.6.18 vs 2.6.24
Date: Fri, 04 Apr 2008 18:19:12 +0200 [thread overview]
Message-ID: <47F65500.8040705@plouf.fr.eu.org> (raw)
In-Reply-To: <20080404085029.GA27854@piper.oerlikon.madduck.net>
martin f krafft a écrit :
>
>>>This bug I see with 2.6.18
>>
>>Of course, Debian's 2.6.18 does not support IPv6 conntrack.
>
> Okay, this is all I was asking in the original mail.
>
> Note, however, that the 2.6.18 kernel modules exist and everything
> can be set up without errors, it then just doesn't work.
This is getting confused. Didn't you wrote "I can confirm that nf_*
modules are not present in Debian's 2.6.18" ?
>>>and someone else with 2.6.22.
>>
>> Nicolas ? He just wrote he couldn't reproduce it.
>
> Okay, I have not tried.
But you reply him that "this is still the case with 2.6.24."
So what exactly is wrong with IPv6 conntrack in 2.6.24 ?
On which pre-2.6.24 versions - besides Debian's 2.6.18 image which has
IPv6 conntrack support disable at build time, this is not a bug but a
feature - do you see an IPv6 conntrack bug such as the "don't seem to
register OUTGOING packets in the connection table" bug you described ?
>>>Or are you saying that if you ping6 from the machine with the
>>>iptables rules to somewhere else, the echo-reply gets matched by
>>>RELATED or ESTABLISHED?
>>
>>Yes, of course. The outgoing echo request is in the NEW state and
>>the incoming echo reply is in the ESTABLISHED state. Same with an
>>incoming echo request.
>
> ... except for 2.6.18, where everything seems like that should be
> the case, but it doesn't work at all. Packets aren't even in the NEW
> state, it seems.
>
> On 2.6.18, I've observed that --state INVALID seems to match *all*
> IPv6 packets, and NEW,ESTABLISHED,RELATED match *none*.
If I understood correctly, that's just because Debian's 2.6.18 kernel
image has NF_CONNTRACK disabled at build time and lacks IPv6 conntrack
support. So using the 'state' match in ip6tables rules with this kernel
just makes no sense. If you build a custom 2.6.18 kernel with
NF_CONNTRACK and IPv6 conntrack support enabled instead of
IP_NF_CONNTRACK, I bet that IPv6 packets will have the proper state.
>>There must be something wrong with your kernel.
>
> Yeah, it's 2.6.18.
I thought you meant a pre-2.6.24 kernel other than the Debian's 2.6.18.
> You have 2.6.20. Apparently conntrack has been
> worked on.
AFAIK, the only improvement in the area of this thread is that an error
"can't load conntrack support for proto=10" is triggered when you try to
use the 'state' match in ip6tables if the kernel is built with
ip_conntrack, thus lacks IPv6 conntrack support.
next prev parent reply other threads:[~2008-04-04 16:19 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-02 21:26 ip6tables icmp conntracking on 2.6.18 vs 2.6.24 martin f krafft
2008-04-02 21:44 ` Petr Pisar
2008-04-02 21:57 ` Jan Engelhardt
2008-04-02 22:05 ` martin f krafft
2008-04-03 8:18 ` martin f krafft
2008-04-03 9:29 ` Pascal Hambourg
2008-04-03 9:36 ` Nicolas KOWALSKI
2008-04-03 10:26 ` martin f krafft
2008-04-03 15:07 ` Pascal Hambourg
2008-04-03 15:23 ` martin f krafft
2008-04-03 23:00 ` Pascal Hambourg
2008-04-03 23:03 ` Pascal Hambourg
2008-04-04 8:50 ` martin f krafft
2008-04-04 16:19 ` Pascal Hambourg [this message]
2008-04-08 13:15 ` martin f krafft
2008-04-03 15:35 ` Nicolas KOWALSKI
2008-04-03 15:38 ` martin f krafft
2008-04-03 15:48 ` Nicolas KOWALSKI
2008-04-04 8:51 ` martin f krafft
2008-04-04 8:57 ` Nicolas KOWALSKI
2008-04-04 11:04 ` martin f krafft
2008-04-04 11:59 ` Nicolas KOWALSKI
2008-04-04 12:39 ` martin f krafft
2008-04-04 17:57 ` Nicolas KOWALSKI
2008-04-03 16:14 ` Jozsef Kadlecsik
2008-04-04 6:22 ` martin f krafft
2008-04-04 9:39 ` Jozsef Kadlecsik
2008-04-04 7:32 ` RFC 4890 (icmpv6 firewall recommendations) and ip6tables (was: ip6tables icmp conntracking on 2.6.18 vs 2.6.24) martin f krafft
2008-04-04 9:12 ` Jozsef Kadlecsik
2008-04-04 11:15 ` martin f krafft
2009-03-11 12:44 ` martin f krafft
2009-03-21 13:43 ` RFC 4890 (icmpv6 firewall recommendations) and ip6tables Chris Hills
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47F65500.8040705@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.