Comments on: A weekend of IPv6 bug chasing http://berrange.com/posts/2007/03/25/a-weekend-of-ipv6-bug-chasing/ Writing about photography, open source software, virtualization & more Sun, 13 May 2012 09:58:15 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Dawid http://berrange.com/posts/2007/03/25/a-weekend-of-ipv6-bug-chasing/comment-page-1/#comment-45 Dawid Sun, 25 Mar 2007 21:04:00 +0000 http://wordpress.berrange.com/?p=44#comment-45 OK, thanks for the clarification. OK, thanks for the clarification.

]]> By: Daniel http://berrange.com/posts/2007/03/25/a-weekend-of-ipv6-bug-chasing/comment-page-1/#comment-46 Daniel Sun, 25 Mar 2007 20:09:00 +0000 http://wordpress.berrange.com/?p=44#comment-46 No, it isn't a dup - <a href="https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233725" rel="nofollow">my bug</a> was complaining about the fact that system-config-securitylevel does not even add a match on state == RELATED,ESTABLISHED to the ip6tables ruleset in the first place. <br /><br />Though the kernel bug you mention does mean that even if it did add such a conntrack rule, things would still be broken. So I guess my bug 233725 would have to be marked as depending on 209945. As a temporary workaround system-config-securitylevel could at least add an non-conntrack style rule to INPUT matching on '! --syn' to allow return traffic until the kernel conntrack stuff was fixed. As it stands it is just broken out-of-the box which doesn't help people trying out IPv6 because they will all have to manually allow port 80 (and similar for any other protocols they use outbound). No, it isn’t a dup – my bug was complaining about the fact that system-config-securitylevel does not even add a match on state == RELATED,ESTABLISHED to the ip6tables ruleset in the first place.

Though the kernel bug you mention does mean that even if it did add such a conntrack rule, things would still be broken. So I guess my bug 233725 would have to be marked as depending on 209945. As a temporary workaround system-config-securitylevel could at least add an non-conntrack style rule to INPUT matching on ‘! –syn’ to allow return traffic until the kernel conntrack stuff was fixed. As it stands it is just broken out-of-the box which doesn’t help people trying out IPv6 because they will all have to manually allow port 80 (and similar for any other protocols they use outbound).

]]> By: Dawid http://berrange.com/posts/2007/03/25/a-weekend-of-ipv6-bug-chasing/comment-page-1/#comment-47 Dawid Sun, 25 Mar 2007 19:39:00 +0000 http://wordpress.berrange.com/?p=44#comment-47 Isn't IPv6 bug #2 a dupe of https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945 ?<br /><br />You can also take a look at this post http://www.redhat.com/archives/fedora-test-list/2006-October/msg00580.html<br /><br />Regards,<br />Dawid Isn’t IPv6 bug #2 a dupe of https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945 ?

You can also take a look at this post http://www.redhat.com/archives/fedora-test-list/2006-October/msg00580.html

Regards,
Dawid

]]>