ebtables ipv6 support

If it doesn't fit in another category, ask it here.
dan223
Posts: 64
Joined: 2006/11/13 18:12:14
Contact:

ebtables ipv6 support

Postby dan223 » 2015/01/12 16:14:29

Hi Guys,

We have a CentOS node that has support for ebtables with IPv6, we want the same on our centos 5 machine, which I believe the centos5 kernel doesn't include the module ebt_ip6 vs the centos6. Is there a way to add this, how would I go about compiling this module?

aks
Posts: 2498
Joined: 2014/09/20 11:22:14

Re: ebtables ipv6 support

Postby aks » 2015/01/12 18:20:14

ebtables is a filter on the Linux bridge. It generally operates at layer 2 (although some basic filtering of higher level functionality is possible). If you want to filter at layer 3 can't you just use iptables?

dan223
Posts: 64
Joined: 2006/11/13 18:12:14
Contact:

Re: ebtables ipv6 support

Postby dan223 » 2015/01/12 19:13:48

We need to do filtering basic on the vif. We are currently using it in conjunction with some third party software. Works fine with centos 6 we just need the IPv6 module for centos 5 and no how to proceed in getting it added.

aks
Posts: 2498
Joined: 2014/09/20 11:22:14

Re: ebtables ipv6 support

Postby aks » 2015/01/13 18:38:55

Sorry don't know how to make layer 2 software work as layer 3.

I'd suggest you ask the 3rd party.

Anyone else have any ideas?

dan223
Posts: 64
Joined: 2006/11/13 18:12:14
Contact:

Re: ebtables ipv6 support

Postby dan223 » 2015/01/13 19:30:13

I have they suggest compiling it into the kernel, which I'm not too sure how to do?

User avatar
TrevorH
Forum Moderator
Posts: 21018
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ebtables ipv6 support

Postby TrevorH » 2015/01/13 19:58:47

Frankly IPV6 support is so broken in el5 that I'm not sure it should be used anyway :-(
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
Super Jamie
Posts: 308
Joined: 2014/01/10 23:44:51

Re: ebtables ipv6 support

Postby Super Jamie » 2015/01/14 11:32:31

The EL5 kernel was stabilised on 2.6.18, however the xtables support went into 2.6.20.

Red Hat were able to backport some of this to EL5, but not all of it, because they have an ABI guarantee to keep.

For example, ip6tables on EL5 has no stateful connection tracking, which is why the range of high numbered ports are just allowed in. Security!

So, can you just rebuild an EL5 kernel with the ebt_ip6 module? No.

The kernel build option for IPv6 support in ebtables is CONFIG_BRIDGE_EBT_IP6. You can see this config directive exists on EL6:

Code: Select all

# egrep "EBT_IP" /boot/config-2.6.32-504.1.3.el6.x86_64
CONFIG_BRIDGE_EBT_IP=m
CONFIG_BRIDGE_EBT_IP6=m

but doesn't exist on EL5:

Code: Select all

# egrep "EBT_IP" /boot/config-2.6.18-400.el5
CONFIG_BRIDGE_EBT_IP=m

So if you want IPv6 support in EL5's ebtables you'll need to get the xtables patches from 2.6.20 and backport it to 2.6.18 yourself.

If you're not a kernel developer who is very familiar with C programming and upstream Linux kernel changes around 2006-2009 this is probably not feasible.

Like others have said, don't use IPv6 on EL5. Don't roll out new EL5 systems full stop, it's almost end of life. Use something newer.

Failing that, try to do what you want to do using ip6tables instead of ebtables.

You also might be able to use the old ELRepo kernel-lt on EL5. It's a long-life upstream 3.2 kernel and probably has ebt_ip6 already compiled in: http://elrepo.org/linux/kernel/el5/

User avatar
Super Jamie
Posts: 308
Joined: 2014/01/10 23:44:51

Re: ebtables ipv6 support

Postby Super Jamie » 2015/01/14 12:29:09

I just tried that. It's in there:

Code: Select all

# egrep EBT_IP /boot/config-3.2.66-1.el5.elrepo
CONFIG_BRIDGE_EBT_IP=m
CONFIG_BRIDGE_EBT_IP6=m

# modinfo ebt_ip6
filename:       /lib/modules/3.2.66-1.el5.elrepo/kernel/net/bridge/netfilter/ebt_ip6.ko
license:        GPL
author:         Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
description:    Ebtables: IPv6 protocol packet match

dan223
Posts: 64
Joined: 2006/11/13 18:12:14
Contact:

Re: ebtables ipv6 support

Postby dan223 » 2015/01/14 14:10:10

These are for existing servers, and the IPv6 seems to work as fine, just need this last piece of the puzzle.

The only issue with using elrepo repo is we are using Xen at the moment. These are existing nodes, we wouldn't consider using CentOS 5 for a new deployment.

User avatar
Super Jamie
Posts: 308
Joined: 2014/01/10 23:44:51

Re: ebtables ipv6 support

Postby Super Jamie » 2015/01/14 14:12:59

Then your options are to switch from paravirt (kernel-xen) to full virt (kernel and kernel-lt) or use ip6tables instead.