[Debian] CONFIG_NF_CONNTRACK_IPV6

Cédric Schieli cschieli at gmail.com
Sun Dec 12 11:19:15 EST 2010


2010/12/12 maximilian attems <max at stro.at>:
> On Sat, 11 Dec 2010, Cédric Schieli wrote:
>
>> Hello,
>>
>> What is the current status of NF_CONNTRACK_IPV6 in OpenVZ ?
>> According to this post
>> (http://openvz.org/pipermail/debian/2010-March/000647.html) some
>> iptables fixes were still needed.
>> I rebuilt current Squeeze OpenVZ kernel (2.6.32-28) with
>> CONFIG_NF_CONNTRACK_IPV6 turned on and it seems to work like a charm.
>> (I'm using shorewall6 inside and outside VEs)
>> If nothing is blocking it anymore, could it be turned on in a future
>> kernel release ?
>
> I am happy to turn it on, if it's working, will do so for next upload.
>
> thanks for your testing.
>

After some more testing, it turns out to not work that well in VEs,
while all is ok in VE0.
Connections (to VE) are correctly marked as ESTABLISHED and ASSURED in
/proc/net/nf_conntrack, but RELATED packets are not matched as such by
VE's iptables rules. But it seems not ipv6 related as I get the same
behaviour with ipv4 iptables rules. Is it supposed to work in the ipv4
case ?

Regards,
Cédric Schieli



More information about the Debian mailing list