[linux-yocto] [yocto-kernel-cache][PATCH] netfilter: enable connection tracking for IPv6

Thu Dec 15 07:56:41 PST 2016

On 2016-12-12 10:04 AM, Dmitry Rozhkov wrote:
> In case of the DROP policy in the INPUT chain a host using IPv6 still
> might need to receive TCP packets for established connections, that is
> to have the rule
>
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>
> in its INPUT chain of ip6tables. For this feature to work the option
> CONFIG_NF_CONNTRACK_IPV6 needs to be enabled.

Sorry for the delay, I managed to overlook this.

merged

Bruce

>
> Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov at linux.intel.com>
> ---
>  features/netfilter/netfilter.cfg | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/features/netfilter/netfilter.cfg b/features/netfilter/netfilter.cfg
> index 8ecef4a..99fa30f 100644
> --- a/features/netfilter/netfilter.cfg
> +++ b/features/netfilter/netfilter.cfg
> @@ -68,6 +68,7 @@ CONFIG_NETFILTER_XT_MATCH_U32=m
>  #
>  CONFIG_NF_DEFRAG_IPV4=m
>  CONFIG_NF_CONNTRACK_IPV4=m
> +CONFIG_NF_CONNTRACK_IPV6=m
>  CONFIG_NF_CONNTRACK_PROC_COMPAT=y
>  CONFIG_IP_NF_IPTABLES=m
>  CONFIG_IP_NF_MATCH_AH=m
>