FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 07-14-2010, 06:42 AM
Klaus Maria Pfeiffer
 
Default Bug#580507: linux-image-2.6.32-5-openvz-amd64: CONFIG_NF_CONNTRACK_IPV6 is not set

hi!

its the same for 2.6.32-17.

so, I have fears that next debian stable will be w/o usable IPv6 support for
the openvz kernel.

gre3tings, Klaus



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201007140842.43429.kmp+debian.reportbug@kmp.or.at" >http://lists.debian.org/201007140842.43429.kmp+debian.reportbug@kmp.or.at
 
Old 12-14-2010, 02:41 AM
Steven Chamberlain
 
Default Bug#580507: linux-image-2.6.32-5-openvz-amd64: CONFIG_NF_CONNTRACK_IPV6 is not set

Hi,

This is still missing from current 2.6.32-5-openvz-amd64. It's enabled
as a module for linux-image-2.6.32-5-amd64 though. It's not clear to me
why it's missing from the openvz flavour.


Anyway, the lack of nf_conntrack_ipv6 doesn't prevent IPv6 from being
used in OpenVZ host/guest VEs, because net.ipv6.conf.default.forwarding
still causes the host to act as an IPv6 router for guest VEs.


The reason nf_conntrack_ipv6 is desirable is because it allows the use
of '-m state --state RELATED,ESTABLISHED' in ip6tables rules (in either
the host VE's FORWARD table or guest VEs' INPUT tables), so that traffic
to most ports can be filtered except in response to outgoing
connections. This gives IPv6 hosts an additional layer of security that
was traditionally a side-effect of NAT in IPv4.


My suggested alternative in the meantime is to keep ports 1024-65535
open, because source ports for outgoing connections will usually be in
that range. Most services will listen on ports 1-1023, which can be
filtered/closed except for any services that need to be public.


Regards,
--
Steven Chamberlain
steven@pyro.eu.org



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D06E773.6080100@pyro.eu.org">http://lists.debian.org/4D06E773.6080100@pyro.eu.org
 

Thread Tools




All times are GMT. The time now is 02:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org