extended ip6tables support disabled
During boot, just before runlevel 5 is reached I get following message. Looked into the help, had a look through the manpages and decided to give up and just ask the list why I get the following message, do I need to repair something or what does the ip6table do. Want to get rid of the message. Should be in plain English please ;-). Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. ip6tables v1.3.1: Unknown arg `--reject-with' Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.3.1: Unknown arg `--reject-with' Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.3.1: Unknown arg `--reject-with' Try `ip6tables -h' or 'ip6tables --help' for more information. done
* C. Brouerius van Nidek <constant@indo.net.id> [09-03-05 07:37]:
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
Your system does not support ipv6. Do a google search 'site:suse.com ipv6 disable' and find specific 9.3 information on how to disable ipv6 on your box. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery
Saturday 03 Sep 2005 19:33 samaye Patrick Shanahan alekhiit:
* C. Brouerius van Nidek <constant@indo.net.id> [09-03-05 07:37]:
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
I had the exact same error. Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
Your system does not support ipv6.
Which systems do support ipv6? You mean my computer or my internet connection?
Do a google search 'site:suse.com ipv6 disable' and find specific 9.3 information on how to disable ipv6 on your box.
Will try and get back... -- (o- Penguin #395953 lives at http://samvit.org //\ subsisting on ancient Indian wisdom ... V_/_ and modern computing efficiency! :)
* Shriramana Sharma <samjnaa@fastmail.fm> [09-03-05 10:32]:
Which systems do support ipv6?
google 'ipv6'
You mean my computer or my internet connection?
both -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery
Saturday 03 Sep 2005 19:33 samaye Patrick Shanahan alekhiit:
Your system does not support ipv6. Do a google search 'site:suse.com ipv6 disable' and find specific 9.3 information on how to disable ipv6 on your box.
I did not find any 9.3 specific information, but this stuff on 9.0 at: http://lists.suse.com/archive/suse-linux-e/2003-Dec/0034.html says: In /etc/modules.conf make the following change, replace alias net-pf-10 ipv6 # alias net-pf-10 off with # alias net-pf-10 ipv6 alias net-pf-10 off Run depmod -a && modprobe -r ipv6 (If modprobe can't unload the ipv6 module, then reboot) But there *is* no /etc/modules.conf on my machine! I only have a /etc/modprobe.conf if that's the same, and I don't have the exact same text as stated in the archive. I have the line: alias net-pf-6 netrom # install net-pf-6 /bin/true alias net-pf-10 ipv6 # install net-pf-10 /bin/true alias net-pf-11 rose # install net-pf-11 /bin/true Do I change this pf-10 entry? But I see the following on the top of the file: # Please don't edit this file. Place your settings into # /etc/modprobe.conf.local instead. So now do I go ahead with changing or what? Thanks. -- (o- Penguin #395953 lives at http://samvit.org //\ subsisting on ancient Indian wisdom ... V_/_ and modern computing efficiency! :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2005-09-03 at 21:20 +0530, Shriramana Sharma wrote:
I did not find any 9.3 specific information, but this stuff on 9.0 at:
http://lists.suse.com/archive/suse-linux-e/2003-Dec/0034.html
It doesn't apply to 9.3. Back then we users had to dissable ipv6 because some applications, like mozilla, hung for a long time trying to find addresses there. That's not a problem in 9.3.
But there *is* no /etc/modules.conf on my machine! I only have a /etc/modprobe.conf if that's the same,
It replaces the other. You also have a /etc/modprobe.conf.local (for you to use) and /etc/modprobe.d/* directory.
So now do I go ahead with changing or what? Thanks.
No, don't. Just ignore the susefirewall error message. It only concerns you if you have an internet suplier that does support ipv6, because the firewall support for it is not complete. For longer explanations, please search the security mail list for the word "IPv6" in the subject line. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDHCBRtTMYHG2NR9URAsuvAJ9h2YxpSeVLcmxIJcfq1gb+79rZfQCgi7Q/ nbio6x7yUEg4G7J6eJHp+qE= =Fure -----END PGP SIGNATURE-----
Patrick Shanahan wrote:
* C. Brouerius van Nidek <constant@indo.net.id> [09-03-05 07:37]:
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
Your system does not support ipv6. Do a google search 'site:suse.com
Not true, Patrick. This warning message only happens if the kernel *does* support ipv6, but the ipv6 state matching module is not available. "State matching" means determining if a packet is a NEW connection, if it is RELATED to another established connection, or if it is part of an ESTABLISHED connection (and, if done as part of connection tracking, if it is a NAT translated packet). I always thought ip6tables does support state matching, but I find that the necessary module, ip6t_state, does not even exist on my system (no connection tracking modules for ipv6 either, for that matter). Maybe for some reason it just isn't compiled into the SuSE kernel, because the manpage for ip6tables does suggest that state matching is supported -- it works great in iptables. For Constant: I don't think you will be able to get rid of the warning message ("... extended support disabled") but you can get rid of the other stuff. Go into Yast, System, /etc/sysconfig editor, then set all the following variables to "no": Desktop/KDE_USES_IPV6 Network/Firewall/FW_IPV6 Hardware/Config/USE_IPV6 Also in /etc/modprobe.conf you will find the following lines (well, you actually don't need to --find-- either one :) ) -- alias sit0 ipv6 alias net-pf-10 ipv6 One of these lines is responsible for the ipv6 module being loaded somewhere in the boot process, and you don't need it at all. Add a line "install ipv6 /bin/true" to /etc/modprobe.conf.local which should prevent the ipv6 module from being loaded at all. I am not sure if this is actually necessary -- I didn't add it in, but the ipv6 module is still being loaded on my system, and rmmod says it is in use when I try to remove it. It's just that you don't need the ipv6 module loaded, it isn't being used and just takes up memory.
Patrick Shanahan wrote:
* C. Brouerius van Nidek <constant@indo.net.id> [09-03-05 07:37]:
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
Your system does not support ipv6. Do a google search 'site:suse.com
Not true, Patrick. This warning message only happens if the kernel *does* support ipv6, but the ipv6 state matching module is not available. "State matching" means determining if a packet is a NEW connection, if it is RELATED to another established connection, or if it is part of an ESTABLISHED connection (and, if done as part of connection tracking, if it is a NAT translated packet). I always thought ip6tables does support state matching, but I find that the necessary module, ip6t_state, does not even exist on my system (no connection tracking modules for ipv6 either, for that matter). Maybe for some reason it just isn't compiled into the SuSE kernel, because the manpage for ip6tables does suggest that state matching is supported -- it works great in iptables. For Constant: I don't think you will be able to get rid of the warning message ("... extended support disabled") but you can get rid of the other stuff. Go into Yast, System, /etc/sysconfig editor, then set all the following variables to "no": Desktop/KDE_USES_IPV6 Network/Firewall/FW_IPV6 Hardware/Config/USE_IPV6 Also in /etc/modprobe.conf you will find the following lines (well, you actually don't need to --find-- either one :) ) -- alias sit0 ipv6 alias net-pf-10 ipv6 One of these lines is responsible for the ipv6 module being loaded somewhere in the boot process, and you don't need it at all. Add a line "install ipv6 /bin/true" to /etc/modprobe.conf.local which should prevent the ipv6 module from being loaded at all. I am not sure if this is actually necessary -- I didn't add it in, but the ipv6 module is still being loaded on my system, and rmmod says it is in use when I try to remove it. It's just that you don't need the ipv6 module loaded, it isn't being used and just takes up memory.
On Sat, Sep 03, 2005 at 07:35:34PM +0700, C. Brouerius van Nidek wrote:
During boot, just before runlevel 5 is reached I get following message. Looked into the help, had a look through the manpages and decided to give up and just ask the list why I get the following message, do I need to repair something or what does the ip6table do. Want to get rid of the message. Should be in plain English please ;-).
Just keep the message. The ipv6 extended state matching support was removed at one time and is still being rewritten for the 2.6 kernel netfilter framework. There are no patches available yet. Ciao, Marcus
On Sunday 04 September 2005 16:28, Marcus Meissner wrote:
On Sat, Sep 03, 2005 at 07:35:34PM +0700, C. Brouerius van Nidek wrote:
During boot, just before runlevel 5 is reached I get following message. Looked into the help, had a look through the manpages and decided to give up and just ask the list why I get the following message, do I need to repair something or what does the ip6table do. Want to get rid of the message. Should be in plain English please ;-).
Just keep the message.
The ipv6 extended state matching support was removed at one time and is still being rewritten for the 2.6 kernel netfilter framework.
There are no patches available yet.
Thanks for the clear answers. As I am always a little troubled when I get such information but now I can sleep again ;-).
participants (6)
-
C. Brouerius van Nidek -
Carlos E. R. -
Darryl Gregorash -
Marcus Meissner -
Patrick Shanahan -
Shriramana Sharma