similar to: [Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.

http://bugzilla.netfilter.org/show_bug.cgi?id=616 Summary: Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment. Product: iptables Version: unspecified Platform: i386 OS/Version: All Status: NEW Severity: minor Priority: P4 Component: iptables

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #5 from - <kd6lvw at yahoo.com> 2013-07-09 03:45:06 CEST --- Re: Comment #4. One doesn't know what the addresses are until they are retrieved from the DNS. The point is that the routines which generate the rules are NOT checking the values AFTER the CIDR netmask is applied to eliminate POST-MASK duplicate answers. The

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #7 from - <kd6lvw at yahoo.com> 2013-07-09 09:35:30 CEST --- Re: Comment #6 - It is up to the author of the ruleset to determine policy. It is the duty of the software to properly execute that policy. Here, the software fails to do so because it produces duplicate redundant rules which are never used. Note that iptables-save

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #9 from - <kd6lvw at yahoo.com> 2013-07-09 19:56:29 CEST --- RE: Comment #7: "It seems your best solution is to add a single rule with 208.83.136.0/22." Yet, it adds THREE rules, two of which will never fire, thus the problem and bug report. Extend your quota example: When the first rule reaches the quota, it will

https://bugzilla.netfilter.org/show_bug.cgi?id=616 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter at linuxace.com --- Comment #3 from Phil Oester <netfilter at linuxace.com> 2013-06-21

https://bugzilla.netfilter.org/show_bug.cgi?id=616 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |WONTFIX --- Comment #10 from Phil Oester

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #4 from Phil Oester <netfilter at linuxace.com> 2013-07-08 23:33:07 CEST --- As noted, #2 is solved already. Also, /128 will no longer print (commit 945353a2). But your #1 makes little sense to me: discovery.razor.cloudmark.com/22. How do you know that EVERY IP returned from a DNS lookup is always going to be a /22 mask?

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #6 from Phil Oester <netfilter at linuxace.com> 2013-07-09 03:50:27 CEST --- Yes, I fully understand what is happening in the one specific example you have provided. However you need to answer what happens if Cloudmark suddenly decides to add an IP _OUTSIDE_ of that /22 that is assigned to them. Let's say they open a new

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #8 from Phil Oester <netfilter at linuxace.com> 2013-07-09 15:56:45 CEST --- (In reply to comment #7) > It is the duty of the software to properly execute that policy. Here, the > software fails to do so because it produces duplicate redundant rules which are > never used. And where is it documented that the software

http://bugzilla.netfilter.org/show_bug.cgi?id=597 Summary: ip6tables connlimit - cannot set CIDR greater than 32 (includes fix) Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: major Priority: P1 Component: ip6tables AssignedTo: laforge

http://bugzilla.netfilter.org/show_bug.cgi?id=630 Summary: Enhancement: Allow rules to specify ICMP type ranges. Product: iptables Version: unspecified Platform: All URL: http://www.ietf.org/rfc/rfc4890.txt OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: ip6tables

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=108 laforge@netfilter.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From

https://bugzilla.netfilter.org/show_bug.cgi?id=892 Summary: ip6tables --match policy needs to accept IPv4 addresses for --tunnel-src and --tunnel-dst Product: iptables Version: 1.4.x Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: ip6tables

Hi, I''m trying to use HTB for IPv6 packets. In the LARTC archive I found a thread on this issue where a solution was described. The idea is to mark a user-defined chain then use the fwmark for filtering. However my attempt wasn''t successful. I''m thinking of trying my luck with the u32 filter. This is what I did, any comment is greatly appreciated. Thank you all. tc

http://bugzilla.netfilter.org/show_bug.cgi?id=742 Summary: ip6tables "-m iprange" ipv6 range detection Product: netfilter/iptables Version: linux-2.6.x Platform: x86_64 OS/Version: SuSE Linux Status: NEW Severity: critical Priority: P5 Component: ip6_tables (kernel) AssignedTo:

https://bugzilla.netfilter.org/show_bug.cgi?id=1730 Bug ID: 1730 Summary: nft does not handle IPv6 addresses with embedded IPv4 addresses Product: nftables Version: 1.0.x Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft

CentOS 5.5, fully patched. I have a HE tunnel (tunnelbroker.net) IPv6 tunnel. This works pretty well and is simple to setup. Everything works fine. Until I try to set up an ip6tables firewall. eg if I try to view https://dnssec.surfnet.nl/?p=464 then the page never displays and the firewall shows kernel: IN=sit1 OUT=eth0 SRC=2001:0610:0001:40cd:0145:0100:0186:0033 DST=my.machine LEN=80 TC=0

Hello, shorewall6 seem to have problems duplicating the main routing table. shorewall6 tries to add the fe80::/64 route of every ipv6 configured interface to routing table 1. The first route applies but the other ones not. If i try to add the routes manually to routing table 1 i have to add the first fe80::/64 route and append not add the other ones. does not work: ip -6 route add table 1

hi It was not working when i applied the rules on the vpn card. But I wondered if maybe bridging of vpn and eth0 was messing this up. I thought it was enough to only apply it to the vpn card root at JOTVPN:~# brctl show bridge name bridge id STP enabled    interfaces bridge 8000.000c29638a7e no           eth0                                                                   vpn so I tried the

Hi all, I''m cleaning up some puppet manifests, and thought it would be a good opportunity to move from my own monolithic iptables/ip6tables modules to the official puppetlabs-firewall module. But... what''s the deal with IPv6? My first concern was that there is no easy way to have simple rules be applied to both iptables and ip6tables. Fair enough, I just wrote a simple wrapper