Bug 113580

Summary: Re-requesting the return of statefull IPv6 packetfiltering
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Arjen Runsink <arjennw>
Component: KernelAssignee: Hubert Mantel <mantel>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P5 - None CC: lnussel, meissner
Version: Beta 3   
Target Milestone: ---   
Hardware: Macintosh   
OS: SuSE Pro 9.3   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Arjen Runsink 2005-08-27 19:26:06 UTC 
L.S.  
  
9.2 had kernel support for statefull IPv6 packet filtering. Somehow this  
support was, much to my dislike, dropped in 9.3. I have filed some reports as  
soon as I bought 9.3 that I was very much appalled because I do have need for  
it.  
  
Today I downloaded and installed SUSE 10.0 beta 3 for ppc. And much to my  
dismay I found that also this version lacks the statefull packet filtering for  
IPv6. This will mean that I will have to look around for another distro/OS. 
 
Regards, 
Arjen Runsink (aka Suit)
Comment 1 Marcus Meissner 2005-08-27 20:15:50 UTC 
the problem is that is missing in _MAINLINE_ kernel. 
 
we just have to wait until it is back there.
Comment 2 Arjen Runsink 2005-08-27 21:46:53 UTC 
Just for the sake of the discussion, that never has stopped suse.

Reiserfs has been in the suse kernel long before it was in the mainline kernel.
EVMS is also out of the mainline kernel, but still in the suse kernel (9.3 at
least).
There probably are more examples.

Oh and statefull IPv6 has never been in the mainline kernel afaik. So is it a
new policy to stick with the mainline kernel now?
Comment 3 Olaf Kirch 2005-08-29 09:07:55 UTC 
The issue with IPv6 state matching is that the patches we used were from 
the netfilter patch-o-matic, and were dropped _there_. So there simply 
are no state filtering patches for v6 at the moment that anyone could use. 
If there were, I'd happily include them. 
 
The netfilter team is currently working on generic conntrack (ie L3 
agnostic tracking). I hope that once this code has stabilized enough to be 
merged into mainline, state matching will be done on top of this new code. 
 
(We ship the generic nf_conntrack code in 10.0 BTW)