nanog mailing list archives

Re: Ipv6 for the content provider

From: Antonio Querubin <tony () lava net>
Date: Wed, 26 Jan 2011 13:05:50 -1000 (HST)

On Wed, 26 Jan 2011, Randy McAnally wrote:

The only issue I've faced is RHEL/CentOS doesn't have stateful connection
tracking for IPv6 - so ip6tables is practically worthless.

As long as you're willing to run your iptables through a modificationfilter to generate the corresponding ip6tables you should be ok. Thefollowing sed script might come in handy.


s/-p icmp --icmp-type any/-p icmpv6/
/-m state --state ESTABLISHED,RELATED/ {
  s/-m state --state ESTABLISHED,RELATED/-p udp -m udp --dport 32768:61000/p
  s/udp/tcp/g
  s/61000/61000 ! --syn/
}
s/-m state --state NEW //
s/224.0.0.251/ff02::fb/
s/icmp-host-prohibited/icmp6-adm-prohibited/

Modify as needed.  YMMV.


Antonio Querubin
e-mail/xmpp:  tony () lava net

Current thread:

Re: Ipv6 for the content provider, (continued)
- - - Re: Ipv6 for the content provider Randy McAnally (Jan 26)
    - Re: Ipv6 for the content provider Lamar Owen (Jan 26)
    - Re: Ipv6 for the content provider Valdis . Kletnieks (Jan 26)
    - Re: Ipv6 for the content provider Blake Hudson (Jan 31)
    - Re: Ipv6 for the content provider Simon Perreault (Jan 31)
    - Re: Ipv6 for the content provider Blake Hudson (Jan 31)
    - Re: Ipv6 for the content provider Randy McAnally (Jan 31)
    - Re: Ipv6 for the content provider Lamar Owen (Jan 31)
    - Re: Ipv6 for the content provider Jack Bates (Jan 31)
    - Re: Ipv6 for the content provider Antonio Querubin (Jan 31)
  - Re: Ipv6 for the content provider Antonio Querubin (Jan 26)
- Re: Ipv6 for the content provider Mark Andrews (Jan 26)