[linux-yocto] [yocto-kernel-cache][PATCH] netfilter: enable connection tracking for IPv6
Dmitry Rozhkov
dmitry.rozhkov at linux.intel.com
Mon Dec 12 07:04:10 PST 2016
In case of the DROP policy in the INPUT chain a host using IPv6 still
might need to receive TCP packets for established connections, that is
to have the rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
in its INPUT chain of ip6tables. For this feature to work the option
CONFIG_NF_CONNTRACK_IPV6 needs to be enabled.
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov at linux.intel.com>
---
features/netfilter/netfilter.cfg | 1 +
1 file changed, 1 insertion(+)
diff --git a/features/netfilter/netfilter.cfg b/features/netfilter/netfilter.cfg
index 8ecef4a..99fa30f 100644
--- a/features/netfilter/netfilter.cfg
+++ b/features/netfilter/netfilter.cfg
@@ -68,6 +68,7 @@ CONFIG_NETFILTER_XT_MATCH_U32=m
#
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_CONNTRACK_IPV4=m
+CONFIG_NF_CONNTRACK_IPV6=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_AH=m
--
2.7.4
More information about the linux-yocto
mailing list