CentOS

Hi Guys,

We have a CentOS node that has support for ebtables with IPv6, we want the same on our centos 5 machine, which I believe the centos5 kernel doesn't include the module ebt_ip6 vs the centos6. Is there a way to add this, how would I go about compiling this module?

ebtables is a filter on the Linux bridge. It generally operates at layer 2 (although some basic filtering of higher level functionality is possible). If you want to filter at layer 3 can't you just use iptables?

We need to do filtering basic on the vif. We are currently using it in conjunction with some third party software. Works fine with centos 6 we just need the IPv6 module for centos 5 and no how to proceed in getting it added.

Sorry don't know how to make layer 2 software work as layer 3.

I'd suggest you ask the 3rd party.

Anyone else have any ideas?

I have they suggest compiling it into the kernel, which I'm not too sure how to do?

Frankly IPV6 support is so broken in el5 that I'm not sure it should be used anyway

The EL5 kernel was stabilised on 2.6.18, however the xtables support went into 2.6.20.

Red Hat were able to backport some of this to EL5, but not all of it, because they have an ABI guarantee to keep.

For example, ip6tables on EL5 has no stateful connection tracking, which is why the range of high numbered ports are just allowed in. Security!

So, can you just rebuild an EL5 kernel with the ebt_ip6 module? No.

The kernel build option for IPv6 support in ebtables is CONFIG_BRIDGE_EBT_IP6. You can see this config directive exists on EL6:
but doesn't exist on EL5: So if you want IPv6 support in EL5's ebtables you'll need to get the xtables patches from 2.6.20 and backport it to 2.6.18 yourself.

If you're not a kernel developer who is very familiar with C programming and upstream Linux kernel changes around 2006-2009 this is probably not feasible.

Like others have said, don't use IPv6 on EL5. Don't roll out new EL5 systems full stop, it's almost end of life. Use something newer.

Failing that, try to do what you want to do using ip6tables instead of ebtables.

You also might be able to use the old ELRepo kernel-lt on EL5. It's a long-life upstream 3.2 kernel and probably has ebt_ip6 already compiled in: http://elrepo.org/linux/kernel/el5/

I just tried that. It's in there:

These are for existing servers, and the IPv6 seems to work as fine, just need this last piece of the puzzle.

The only issue with using elrepo repo is we are using Xen at the moment. These are existing nodes, we wouldn't consider using CentOS 5 for a new deployment.

Then your options are to switch from paravirt (kernel-xen) to full virt (kernel and kernel-lt) or use ip6tables instead.