Mailinglist Archive: opensuse-security (137 mails)
| < Previous | Next > |
Re: [suse-security] Why has IPv6 support worsend in SUSE 9.3
- From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
- Date: Wed, 1 Jun 2005 10:56:13 +0200
- Message-id: <20050601085612.GA8704@xxxxxxx>
Arjen Runsink wrote:
> On Tuesday 31 May 2005 23:11, Joerg Mayer wrote:
>
> > > It was almoste perfect in 9.2 but in 9.3 we are back to a level that
> > > looks like pre millenium support for IPv4!!
> >
> > Can you please elaborate? I'm not using IPv6 much but I didn't notice
> > anything relevant from 9.2 to 9.3.
>
> The SUSE kernel in 9.2 has statefull package filtering/connection tracking.
> The only thing that did not work as supposed was to rejet packages. All
> filtered were silently dropped.
>
> In 9.3 we are back to stateless packet filtering/connectiontracking. As I
> happen to use this on my /48 ipv6 network, a safe filtered environment for my
> ipv6 machines behind the 9.3 soho router/firewall is out of the question for
> me atm.
Unfortunately the netfilter code changed a lot between the 9.2 and
9.3 kernel and stateful IPv6 filtering is not in mainline. The
effort of porting the patches for stateful IPv6 was considered too
high for 9.3. If you need stateful IPv6 you better stick with 9.2
and skip 9.3 :-(
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
V_/_ http://www.suse.de/
> On Tuesday 31 May 2005 23:11, Joerg Mayer wrote:
>
> > > It was almoste perfect in 9.2 but in 9.3 we are back to a level that
> > > looks like pre millenium support for IPv4!!
> >
> > Can you please elaborate? I'm not using IPv6 much but I didn't notice
> > anything relevant from 9.2 to 9.3.
>
> The SUSE kernel in 9.2 has statefull package filtering/connection tracking.
> The only thing that did not work as supposed was to rejet packages. All
> filtered were silently dropped.
>
> In 9.3 we are back to stateless packet filtering/connectiontracking. As I
> happen to use this on my /48 ipv6 network, a safe filtered environment for my
> ipv6 machines behind the 9.3 soho router/firewall is out of the question for
> me atm.
Unfortunately the netfilter code changed a lot between the 9.2 and
9.3 kernel and stateful IPv6 filtering is not in mainline. The
effort of porting the patches for stateful IPv6 was considered too
high for 9.3. If you need stateful IPv6 you better stick with 9.2
and skip 9.3 :-(
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
V_/_ http://www.suse.de/
| < Previous | Next > |