| |
| |
| |
|
Comments:
<0> could somebody point me a doc to format a patch with git ?
<1> I patched my kernel (2.6.15) with nf-hipac (and patched nf-hipac with the hipac-2.6.14 patch). However I don't see anything in the netfilter submenu to enable nf-hipac
<2> what is the current state of IPv6 connection tracking in 2.6.16? I notice that the state module is in, but all packets are in the INVALID state
<1> CONFIG_IP_NF_IPTABLES=y and CONFIG_NETFILTER_NETLINK=y along with QUEUE and LOG
<1> along with CONFIG_NETFITLER=y
<3> danieldg: modprobe nf_conntrack ; modprobe nf_conntrack_ipv6
<2> FATAL: Module nf_conntrack not found.
<3> danieldg: did you select nf_conntrack support? maybe compiled it into the kernel?
<2> I have CONFIG_IP_NF_CONNTRACK=m
<3> and selected conntrack support for ipv6?
<3> you want CONFIG_NF_CONNTRACK=m
<3> and CONFIG_NF_CONNTRACK_IPV6=m
<2> I don't have either of those
<3> CONFIG_IP_NF_CONNTRACK is ip_conntrack which is ipv4 only
<3> CONFIG_NF_CONNTRACK is nf_conntrack, the new layer3 independent conntrack, then you have an nf_conntrack_ipv4 and an nf_conntrack_ipv6 module to support those protocols
<2> ah, found it. needed to disable the old connntrack first
<3> beware that nf_conntrack doesn't support NAT for ipv4 yet
<2> that's fine, I don't use NAT
<3> don't forget to load the nf_conntrack_ipv4 and nf_conntrack_ipv6 modules, otherwise all packets will get state INVALID
<2> looks like it's working; I'm going to try making a ruleset for it. Thanks Gandalf_
<3> great
<2> hmm, apparently I spoke too soon. It works on the local network, but not for packets coming in on the tunnel interface
<3> echo 255 > /proc/sys/net/netfilter/nf_conntrack_log_invalid
<3> and check the logs, maybe there's a reason there
<3> I ***ume the packets get marked as invalid...
<2> yes. do you want a line that that setting produces?
<3> sure
<2> Feb 4 18:14:30 gamma kernel: nf_ct_tcp: invalid state IN= OUT= SRC=2002:4071:4c37:0000:0000:0000:0000:0001 DST=2001:06b0:0001:00ea:0202:a5ff:fecd:13a6 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=34301 DPT=80 SEQ=207127116 ACK=1226574856 WINDOW=1420 RES=0x00 ACK URGP=0 OPT (0101080A000E4416523B0443) UID=1001
<3> ok
<3> what's the value of nf_conntrack_loose ?
<3> grr
<3> nf_conntrack_tcp_loose
<2> /proc/sys/net/netfilter/nf_conntrack_tcp_loose:3
<3> ok
<3> it's complaining about "invalid state", it didn't expect an ACK packet, probably because the tcp session was active before nf_conntrack was loaded
<3> but with a value of 3 it should pick up already established connections...
<2> that was from loading a webpage, I launched the brower after loading the new ruleset
<3> I'm not sober enough to debug this further tonight
<3> :)
<2> ok :)
<4> is there any way to use --state ESTABLISHED,RELATED with IPv6?
<4> with 2.6.16-rc2 and iptable 1.3.5 the rule is accepted, but doesn't seem to work
<3> you have to select CONFIG_NF_CONNTRACK and CONFIG_NF_CONNTRACK_IPV4 and CONFIG_NF_CONNTRACK_IPV6
<3> not CONFIG_IP_NF_CONNTRACK
<3> only the new nf_conntrack has support for ipv6, ip_conntrack only supports ipv4
<4> I read on the netfilter list that I lose the abilitity to do IPv4 NAT with nf_conntrack?
<3> yes
<3> that hasn't been implemented yet
<4> ah, I may hold off until it is :) Is there any known timeframe at all?
<3> no timeframe yet
<3> the problem is to design the NAT support so it won't be easy to enable it for ipv6...
<4> why make it hard to enable for ipv6?
<3> because netfilter will _never_ have support for ipv6 NAT
<3> NAT is ugly and serves no purpose for ipv6
<4> indeed
<4> well, thankyou for the info!
<3> np
<5> gug
<2> Gandalf_: do you have anything else I can try to get conntrack working on an IPv6 tunnel interface?
<6> nfulnl_test from libnetfilter_log always segfaults when returning from the callback function, i dont know why
<6> somehow print_pkt kills the return address of cb()
<6> it must be in one of those nflog_get_ functions...
<6> there is an overflow in nflog_get_payload()
<6> in the example program it takes a void pointer and crashes
<6> when i give it a character array it works
<6> or well it does not work, but it does not segfault either
Return to
#netfilter
or
Go to some related
logs:
udev_volume_id dapper
ERROR 1268 (HY000): Can't drop one or more of the requested users
#web
Can't locate BerkeleyDB.pm in @INC
unfck_gpc()
#physics
kubuntu login resolution kdm
#linux
setting CFLAGS +ubuntu
didgerydoos mp3
|
|