* state match support in ip6tables
@ 2004-03-11 22:54 marco
2004-03-11 23:30 ` Alexander Samad
0 siblings, 1 reply; 9+ messages in thread
From: marco @ 2004-03-11 22:54 UTC (permalink / raw)
To: netfilter
hi all, i need help with ip6tables and match support
can i use it with vannilla2.4?
where can i get a patch to enable the it (evenif there's one)?
tnx
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: state match support in ip6tables
2004-03-11 22:54 state match support in ip6tables marco
@ 2004-03-11 23:30 ` Alexander Samad
2004-03-11 23:59 ` marco
2004-03-19 12:45 ` state match support in ip6tables Frank Matthieß
0 siblings, 2 replies; 9+ messages in thread
From: Alexander Samad @ 2004-03-11 23:30 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 298 bytes --]
On Thu, Mar 11, 2004 at 11:54:30PM +0100, marco wrote:
> hi all, i need help with ip6tables and match support
>
> can i use it with vannilla2.4?
> where can i get a patch to enable the it (evenif there's one)?
Conntection tracking isn't implemented in ipv6 AFSIK.
>
> tnx
>
>
>
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: state match support in ip6tables
2004-03-11 23:30 ` Alexander Samad
@ 2004-03-11 23:59 ` marco
2004-03-12 0:08 ` Alexander Samad
2004-03-19 12:45 ` state match support in ip6tables Frank Matthieß
1 sibling, 1 reply; 9+ messages in thread
From: marco @ 2004-03-11 23:59 UTC (permalink / raw)
To: netfilter
this mean i cannot set my input policy to drop, or i'll kill all my ack
packets, right?
Il ven, 2004-03-12 alle 00:30, Alexander Samad ha scritto:
> On Thu, Mar 11, 2004 at 11:54:30PM +0100, marco wrote:
> > hi all, i need help with ip6tables and match support
> >
> > can i use it with vannilla2.4?
> > where can i get a patch to enable the it (evenif there's one)?
>
> Conntection tracking isn't implemented in ipv6 AFSIK.
>
> >
> > tnx
> >
> >
> >
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: state match support in ip6tables
2004-03-11 23:59 ` marco
@ 2004-03-12 0:08 ` Alexander Samad
2004-03-12 7:50 ` Cedric Blancher
[not found] ` <1079077823.3130.52.camel@anduril.intranet.cartel-securite. net>
0 siblings, 2 replies; 9+ messages in thread
From: Alexander Samad @ 2004-03-12 0:08 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 742 bytes --]
On Fri, Mar 12, 2004 at 12:59:18AM +0100, marco wrote:
> this mean i cannot set my input policy to drop, or i'll kill all my ack
> packets, right?
What it means is that you can't use -match state so you don't have
access to the NEW, ESTABLISH or RELATED
You can still check on all the ip flags
Alex
>
> Il ven, 2004-03-12 alle 00:30, Alexander Samad ha scritto:
> > On Thu, Mar 11, 2004 at 11:54:30PM +0100, marco wrote:
> > > hi all, i need help with ip6tables and match support
> > >
> > > can i use it with vannilla2.4?
> > > where can i get a patch to enable the it (evenif there's one)?
> >
> > Conntection tracking isn't implemented in ipv6 AFSIK.
> >
> > >
> > > tnx
> > >
> > >
> > >
>
>
>
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: state match support in ip6tables
2004-03-12 0:08 ` Alexander Samad
@ 2004-03-12 7:50 ` Cedric Blancher
[not found] ` <1079077823.3130.52.camel@anduril.intranet.cartel-securite. net>
1 sibling, 0 replies; 9+ messages in thread
From: Cedric Blancher @ 2004-03-12 7:50 UTC (permalink / raw)
To: Alexander Samad; +Cc: netfilter
Le ven 12/03/2004 à 01:08, Alexander Samad a écrit :
> You can still check on all the ip flags
s/ip/tcp
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 9+ messages in thread
* iptables query
[not found] ` <1079077823.3130.52.camel@anduril.intranet.cartel-securite. net>
@ 2004-03-12 8:09 ` Hitesh Ballani
0 siblings, 0 replies; 9+ messages in thread
From: Hitesh Ballani @ 2004-03-12 8:09 UTC (permalink / raw)
To: netfilter
hello,
i had another question ... i need a method to do one of the following 2
choices -
1. I receive a packet of an interface and apply source nat but i also need
to change the destination address!
or
2. I receive the packet and send it over a tunnel interface (based on the
destination address) but i also need to change the destination address (
the ROUTE patch allows me direct the packet to the tunnel interface based
on the dest address but how do i change this address before it is sent to
the tunnel interface) ....also if i have multiple tunnel interfaces as
options for one destination address - can i achieve a round robin kind of
usage between them?
Thanks,
Hitesh
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: state match support in ip6tables
2004-03-11 23:30 ` Alexander Samad
2004-03-11 23:59 ` marco
@ 2004-03-19 12:45 ` Frank Matthieß
2004-03-19 22:57 ` Alexander Samad
2004-03-19 23:51 ` Cedric Blancher
1 sibling, 2 replies; 9+ messages in thread
From: Frank Matthieß @ 2004-03-19 12:45 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 714 bytes --]
Alexander Samad [2004-03-12 00:30 CET]:
> On Thu, Mar 11, 2004 at 11:54:30PM +0100, marco wrote:
> > hi all, i need help with ip6tables and match support
> >
> > can i use it with vannilla2.4?
> > where can i get a patch to enable the it (evenif there's one)?
>
> Conntection tracking isn't implemented in ipv6 AFSIK.
Do you know. why this isn't implemented yet?
Are there technical reasons or only a problem of priorities?
I would like to have IPv6 statefull inspection, because i and some others
want to play with IPV6 over freenet6. But making firewall rules w/o
statefull inspection isn't really funny, nor is it compareable.
Frank.
--
Frank Matthieß
[x] Nail here for new monitor.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: state match support in ip6tables
2004-03-19 12:45 ` state match support in ip6tables Frank Matthieß
@ 2004-03-19 22:57 ` Alexander Samad
2004-03-19 23:51 ` Cedric Blancher
1 sibling, 0 replies; 9+ messages in thread
From: Alexander Samad @ 2004-03-19 22:57 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 913 bytes --]
On Fri, Mar 19, 2004 at 01:45:04PM +0100, Frank Matthie? wrote:
> Alexander Samad [2004-03-12 00:30 CET]:
> > On Thu, Mar 11, 2004 at 11:54:30PM +0100, marco wrote:
> > > hi all, i need help with ip6tables and match support
> > >
> > > can i use it with vannilla2.4?
> > > where can i get a patch to enable the it (evenif there's one)?
> >
> > Conntection tracking isn't implemented in ipv6 AFSIK.
>
> Do you know. why this isn't implemented yet?
> Are there technical reasons or only a problem of priorities?
No, I don't know, only passing on what I have read in the dev mailing
list.
>
> I would like to have IPv6 statefull inspection, because i and some others
> want to play with IPV6 over freenet6. But making firewall rules w/o
> statefull inspection isn't really funny, nor is it compareable.
agreed
>
> Frank.
> --
> Frank Matthie?
>
> [x] Nail here for new monitor.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: state match support in ip6tables
2004-03-19 12:45 ` state match support in ip6tables Frank Matthieß
2004-03-19 22:57 ` Alexander Samad
@ 2004-03-19 23:51 ` Cedric Blancher
1 sibling, 0 replies; 9+ messages in thread
From: Cedric Blancher @ 2004-03-19 23:51 UTC (permalink / raw)
To: netfilter
Le ven 19/03/2004 à 13:45, Frank Matthieß a écrit :
> > Conntection tracking isn't implemented in ipv6 AFSIK.
> Do you know. why this isn't implemented yet?
> Are there technical reasons or only a problem of priorities?
Dev team wants to achieve a layer 3 independant framework with
associated conntrack, so they do not have to duplicate code between IPv4
and IPv6. Tools will be called pkttables. In the meantime, stuff like
POM-ng (for 2.6) or nfnetlink/ctnetlink seems to have been
prioritorized. I am no developper, so I give you my understanding of the
situation, which can be a complete misundestanding :)
However, Yasuyuki Kozakai from USAGI project posted a couple of patches
to add IPv6 conntrack to Netfilter. Just crawle dev mailing list
archives and you will find it quick.
> I would like to have IPv6 statefull inspection, because i and some
> others want to play with IPV6 over freenet6. But making firewall rules
> w/o statefull inspection isn't really funny, nor is it compareable.
Use Yasuyuki patch if it works fine for you (never tested it), or use
BSD pf while waiting for official pkttables release.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2004-03-19 23:51 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-11 22:54 state match support in ip6tables marco
2004-03-11 23:30 ` Alexander Samad
2004-03-11 23:59 ` marco
2004-03-12 0:08 ` Alexander Samad
2004-03-12 7:50 ` Cedric Blancher
[not found] ` <1079077823.3130.52.camel@anduril.intranet.cartel-securite. net>
2004-03-12 8:09 ` iptables query Hitesh Ballani
2004-03-19 12:45 ` state match support in ip6tables Frank Matthieß
2004-03-19 22:57 ` Alexander Samad
2004-03-19 23:51 ` Cedric Blancher
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox