[Debian] CONFIG_NF_CONNTRACK_IPV6
Cédric Schieli
cschieli at gmail.com
Sun Dec 19 16:33:38 EST 2010
2010/12/12 maximilian attems <max at stro.at>:
> On Sat, 11 Dec 2010, Cédric Schieli wrote:
>
>> Hello,
>>
>> What is the current status of NF_CONNTRACK_IPV6 in OpenVZ ?
>> According to this post
>> (http://openvz.org/pipermail/debian/2010-March/000647.html) some
>> iptables fixes were still needed.
>> I rebuilt current Squeeze OpenVZ kernel (2.6.32-28) with
>> CONFIG_NF_CONNTRACK_IPV6 turned on and it seems to work like a charm.
>> (I'm using shorewall6 inside and outside VEs)
>> If nothing is blocking it anymore, could it be turned on in a future
>> kernel release ?
>
> I am happy to turn it on, if it's working, will do so for next upload.
>
> thanks for your testing.
>
Hello,
I saw your commit in svn.debian.org (r16704) and then you reverted it
(r16707) with the following comment : report post is not credible.
To be more credible, here you will find part of my setup :
chest = VE0
macdo = VE
root at chest:~# grep ^IP /etc/vz/vz.conf
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter
iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"
IPV6="yes"
IP6TABLES="ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT"
root at chest:~# tail -n 2 /etc/vz/names/macdo
IPTABLES="ip_tables iptable_filter iptable_mangle ipt_limit
ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl
ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc
ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc
ipt_REDIRECT xt_mac ipt_recent ipt_owner "
CAPABILITY="NET_ADMIN:on "
root at chest:~# cat /proc/version
Linux version 2.6.32-5-openvz-686 (Debian 2.6.32-28+local1)
(root at chest.at.home) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue
Dec 7 21:00:06 CET 2010
root at chest:~# ip6tables -nvx -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1 80 dynamic all * * ::/0
::/0 ctstate INVALID,NEW
56 7479 net2fw all xenbr0 * ::/0
::/0
0 0 ACCEPT all lo * ::/0
::/0
0 0 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
0 0 Drop all * * ::/0
::/0
0 0 DROP all * * ::/0
::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1 80 dynamic all * * ::/0
::/0 ctstate INVALID,NEW
214 36446 net_frwd all xenbr0 * ::/0
::/0
0 0 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
0 0 Drop all * * ::/0
::/0
0 0 DROP all * * ::/0
::/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
37 6107 fw2net all * xenbr0 ::/0
::/0
0 0 ACCEPT all * lo ::/0
::/0
0 0 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
6 384 ACCEPT all * * ::/0
::/0
Chain AllowICMPs (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 1 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 2 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 3 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 4 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 133 /* Needed ICMP types
(RFC4890) */
2 288 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 134 /* Needed ICMP types
(RFC4890) */
1 72 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 135 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 136 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 137 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 141 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 142 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 130 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 131 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 132 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 143 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 148 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 149 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 151 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 152 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 153 /* Needed ICMP types
(RFC4890) */
Chain Drop (3 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp * * ::/0
::/0 tcp dpt:113 /* Auth */
3 360 AllowICMPs icmpv6 * * ::/0
::/0
0 0 dropBcast all * * ::/0
::/0
0 0 dropInvalid all * * ::/0
::/0
0 0 DROP udp * * ::/0
::/0 multiport dports 135,445 /* SMB */
0 0 DROP udp * * ::/0
::/0 udp dpts:137:139 /* SMB */
0 0 DROP udp * * ::/0
::/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp * * ::/0
::/0 multiport dports 135,139,445 /* SMB */
0 0 dropNotSyn tcp * * ::/0
::/0
0 0 DROP udp * * ::/0
::/0 udp spt:53 /* Late DNS Replies */
Chain Reject (0 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp * * ::/0
::/0 tcp dpt:113 /* Auth */
0 0 AllowICMPs icmpv6 * * ::/0
::/0
0 0 dropBcast all * * ::/0
::/0
0 0 dropInvalid all * * ::/0
::/0
0 0 reject udp * * ::/0
::/0 multiport dports 135,445 /* SMB */
0 0 reject udp * * ::/0
::/0 udp dpts:137:139 /* SMB */
0 0 reject udp * * ::/0
::/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp * * ::/0
::/0 multiport dports 135,139,445 /* SMB */
0 0 dropNotSyn tcp * * ::/0
::/0
0 0 DROP udp * * ::/0
::/0 udp spt:53 /* Late DNS Replies */
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0
2a01:e35:8a95:1450::/128
0 0 DROP all * * ::/0
2a01:e35:8a95:1450:ffff:ffff:ffff:ff80/121
0 0 DROP all * * ::/0
ff00::/8
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0
::/0 ctstate INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP tcp * * ::/0
::/0 tcp flags:!0x17/0x02
Chain dynamic (2 references)
pkts bytes target prot opt in out source
destination
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
36 6035 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
1 72 ACCEPT all * * ::/0
::/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0
::/0
Chain logreject (0 references)
pkts bytes target prot opt in out source
destination
0 0 reject all * * ::/0
::/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
52 7039 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
1 80 ACCEPT tcp * * ::/0
::/0 tcp dpt:22 /* SSH */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 128 /* Ping */
3 360 Drop all * * ::/0
::/0
0 0 DROP all * * ::/0
::/0
Chain net_frwd (1 references)
pkts bytes target prot opt in out source
destination
214 36446 ACCEPT all * xenbr0 ::/0
::/0
Chain reject (7 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0
[OBFUSCATED]::/128
0 0 DROP all * * ::/0
[OBFUSCATED]:ffff:ffff:ffff:ff80/121
0 0 DROP all * * ff00::/8
::/0
0 0 DROP 2 * * ::/0
::/0
0 0 REJECT tcp * * ::/0
::/0 reject-with tcp-reset
0 0 REJECT udp * * ::/0
::/0 reject-with icmp6-port-unreachable
0 0 REJECT icmpv6 * * ::/0
::/0 reject-with icmp6-addr-unreachable
0 0 REJECT all * * ::/0
::/0 reject-with icmp6-adm-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
root at macdo:~# cat /proc/version
Linux version 2.6.32-5-openvz-686 (Debian 2.6.32-28+local1)
(root at chest.at.home) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue
Dec 7 21:00:06 CET 2010
root at macdo:~# ip6tables -nvx -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1 80 dynamic all * * ::/0
::/0 ctstate INVALID,NEW
59 7815 net2fw all eth0 * ::/0
::/0
0 0 ACCEPT all lo * ::/0
::/0
0 0 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
0 0 Drop all * * ::/0
::/0
0 0 DROP all * * ::/0
::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 dynamic all * * ::/0
::/0 ctstate INVALID,NEW
0 0 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
0 0 Drop all * * ::/0
::/0
0 0 DROP all * * ::/0
::/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
48 7091 fw2net all * eth0 ::/0
::/0
0 0 ACCEPT all * lo ::/0
::/0
0 0 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all * * ::/0
::/0
Chain AllowICMPs (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 1 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 2 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 3 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 4 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 133 /* Needed ICMP types
(RFC4890) */
1 144 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 134 /* Needed ICMP types
(RFC4890) */
1 72 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 135 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 136 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 137 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 141 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 142 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 130 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 131 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 132 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 143 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 148 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 149 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 151 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 152 /* Needed ICMP types
(RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmp type 153 /* Needed ICMP types
(RFC4890) */
Chain Drop (3 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp * * ::/0
::/0 tcp dpt:113 /* Auth */
2 216 AllowICMPs icmpv6 * * ::/0
::/0
0 0 dropInvalid all * * ::/0
::/0
0 0 DROP udp * * ::/0
::/0 multiport dports 135,445 /* SMB */
0 0 DROP udp * * ::/0
::/0 udp dpts:137:139 /* SMB */
0 0 DROP udp * * ::/0
::/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp * * ::/0
::/0 multiport dports 135,139,445 /* SMB */
0 0 dropNotSyn tcp * * ::/0
::/0
0 0 DROP udp * * ::/0
::/0 udp spt:53 /* Late DNS Replies */
Chain Reject (0 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp * * ::/0
::/0 tcp dpt:113 /* Auth */
0 0 AllowICMPs icmpv6 * * ::/0
::/0
0 0 dropInvalid all * * ::/0
::/0
0 0 reject udp * * ::/0
::/0 multiport dports 135,445 /* SMB */
0 0 reject udp * * ::/0
::/0 udp dpts:137:139 /* SMB */
0 0 reject udp * * ::/0
::/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp * * ::/0
::/0 multiport dports 135,139,445 /* SMB */
0 0 dropNotSyn tcp * * ::/0
::/0
0 0 DROP udp * * ::/0
::/0 udp spt:53 /* Late DNS Replies */
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0
::/0 ctstate INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP tcp * * ::/0
::/0 tcp flags:!0x17/0x02
Chain dynamic (2 references)
pkts bytes target prot opt in out source
destination
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp * * ::/0
::/0 udp dpts:546:547
44 6823 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
4 268 ACCEPT all * * ::/0
::/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0
::/0
Chain logreject (0 references)
pkts bytes target prot opt in out source
destination
0 0 reject all * * ::/0
::/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp * * ::/0
::/0 udp dpts:546:547
56 7519 ACCEPT all * * ::/0
::/0 ctstate RELATED,ESTABLISHED
1 80 ACCEPT tcp * * ::/0
::/0 tcp dpt:22 /* SSH */
0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmp type 128 /* Ping */
2 216 Drop all * * ::/0
::/0
0 0 DROP all * * ::/0
::/0
Chain reject (7 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ff00::/10
::/0
0 0 DROP 2 * * ::/0
::/0
0 0 REJECT tcp * * ::/0
::/0 reject-with tcp-reset
0 0 REJECT udp * * ::/0
::/0 reject-with icmp6-port-unreachable
0 0 REJECT icmpv6 * * ::/0
::/0 reject-with icmp6-addr-unreachable
0 0 REJECT all * * ::/0
::/0 reject-with icmp6-adm-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Regards,
Cédric Schieli
More information about the Debian
mailing list