Bugzilla – Bug 113580
Re-requesting the return of statefull IPv6 packetfiltering
Last modified: 2005-08-29 09:07:55 UTC
L.S. 9.2 had kernel support for statefull IPv6 packet filtering. Somehow this support was, much to my dislike, dropped in 9.3. I have filed some reports as soon as I bought 9.3 that I was very much appalled because I do have need for it. Today I downloaded and installed SUSE 10.0 beta 3 for ppc. And much to my dismay I found that also this version lacks the statefull packet filtering for IPv6. This will mean that I will have to look around for another distro/OS. Regards, Arjen Runsink (aka Suit)
the problem is that is missing in _MAINLINE_ kernel. we just have to wait until it is back there.
Just for the sake of the discussion, that never has stopped suse. Reiserfs has been in the suse kernel long before it was in the mainline kernel. EVMS is also out of the mainline kernel, but still in the suse kernel (9.3 at least). There probably are more examples. Oh and statefull IPv6 has never been in the mainline kernel afaik. So is it a new policy to stick with the mainline kernel now?
The issue with IPv6 state matching is that the patches we used were from the netfilter patch-o-matic, and were dropped _there_. So there simply are no state filtering patches for v6 at the moment that anyone could use. If there were, I'd happily include them. The netfilter team is currently working on generic conntrack (ie L3 agnostic tracking). I hope that once this code has stabilized enough to be merged into mainline, state matching will be done on top of this new code. (We ship the generic nf_conntrack code in 10.0 BTW)