On 6/4/10 5:48 AM, Lonnie Abelbeck wrote: > On Jun 3, 2010, at 10:54 PM, James Babiak wrote: > > >> Hey, >> >> Recently I've been playing around with ipv6 and using he.net's very awesome >> and free ipv6 tunnel broker service (just got my Sage certification, >> woohoo!). With almost no effort, I was able to manually bring up the he.net >> tunnel on my astlinux box, configure my /64 on the lan side, and use radvd >> to route the traffic. After a bit more effort, I was even able to tunnel >> ipv6 inside my openvpn tunnel to remote client computers (double tunnel). >> All very fun and exciting stuff to say the least. >> > Cool. > > >> But I was curious to see if Astlinux supported any easy and native way of >> setting up ipv6 support. I get in the habit of doing things manually and >> forget that a lot of the stuff is more easily configurable in the GUI or >> conf files. So I did a bit of Googling and found some old message from Kris >> about enabling IPV6. It was from a long time ago, and there wasn't much in >> it, so I started looking around. I found a relevant rc.conf variable >> (IPV6=yes) and saw that it did a few things in the init scripts like loading >> the ipv6 kernel module, enabling ipv6 ftp and ssh support, etc. Not a >> perfect solution, since I would have to still deal with a lot of things >> manually, but I enabled it to cut down on some of the custom work. >> >> Everything seemed like it was going fine until I changed a firewall rule to >> enable openvpn tunnel connections access to eth1. Using the GUI to reload >> the firewall, I noticed a red warning that not all rules could be applied. >> Curious as to what was causing the issue, I reloaded iptables manually and >> saw this: >> >> http://pastebin.com/cEKT5SqJ >> >> I removed the IPV6=yes variable from /etc/rc.conf and tried again. All the >> warnings disappeared and it reloaded fine (in the GUI as well). >> >> I did some more searching and messing around and I get those errors >> regardless of whether using ipv6 or not. I can't find any init script that >> changes anything iptables related based on that variable, but apparently it >> does make a big difference. >> >> Now I am not an iptables/arno firewall guru, so my first question is: are >> those warning messages very bad? Will it cause any issues with ipv4 >> iptables? I am a bit concerned because according to the arno firewall >> configuration file: >> >> # (EXPERT SETTING!) Enable this if you want to enable IPv6 traffic support >> # (and disable IPv4 support). >> # >> ----------------------------------------------------------------------------- >> IPV6_SUPPORT=0 >> >> It's still set to 0 in the config file like above, but it seems to imply the >> loss of ipv4 support if ipv6 is enabled. >> > Yes, with the current version of Arno's firewall, iptables is setup as either > only pure IPv4 or pure IPv6, not mixed. So any rules using NAT in IPv6 will > show an error. Arno has talked about adding 'mixed' mode, but he has not had > the time. > > If the rc.conf variable IPV6="yes" is set, then Arno's variable > IPV6_SUPPORT=1 is automatically set, as you have noticed. > > Clearly there is work waiting to be done on this front. > > Lonnie >
Lonnie: IPv6 has no notion of "nat" because NAT is unnecessary. Indeed, "nat" was created because IPv4 is limited to 2^32 addresses. IPv6 was created with a 2^128 address space so that we'll never run out. Can you please look into what's involved in making all the "nat" stuff be a no-op for IPv6? Thanks. ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
