ebtables ipv6 support
ebtables ipv6 support
Hi Guys,
We have a CentOS node that has support for ebtables with IPv6, we want the same on our centos 5 machine, which I believe the centos5 kernel doesn't include the module ebt_ip6 vs the centos6. Is there a way to add this, how would I go about compiling this module?
We have a CentOS node that has support for ebtables with IPv6, we want the same on our centos 5 machine, which I believe the centos5 kernel doesn't include the module ebt_ip6 vs the centos6. Is there a way to add this, how would I go about compiling this module?
Re: ebtables ipv6 support
ebtables is a filter on the Linux bridge. It generally operates at layer 2 (although some basic filtering of higher level functionality is possible). If you want to filter at layer 3 can't you just use iptables?
Re: ebtables ipv6 support
We need to do filtering basic on the vif. We are currently using it in conjunction with some third party software. Works fine with centos 6 we just need the IPv6 module for centos 5 and no how to proceed in getting it added.
Re: ebtables ipv6 support
Sorry don't know how to make layer 2 software work as layer 3.
I'd suggest you ask the 3rd party.
Anyone else have any ideas?
I'd suggest you ask the 3rd party.
Anyone else have any ideas?
Re: ebtables ipv6 support
I have they suggest compiling it into the kernel, which I'm not too sure how to do?
Re: ebtables ipv6 support
Frankly IPV6 support is so broken in el5 that I'm not sure it should be used anyway
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
- Super Jamie
- Posts: 310
- Joined: 2014/01/10 23:44:51
Re: ebtables ipv6 support
The EL5 kernel was stabilised on 2.6.18, however the xtables support went into 2.6.20.
Red Hat were able to backport some of this to EL5, but not all of it, because they have an ABI guarantee to keep.
For example, ip6tables on EL5 has no stateful connection tracking, which is why the range of high numbered ports are just allowed in. Security!
So, can you just rebuild an EL5 kernel with the ebt_ip6 module? No.
The kernel build option for IPv6 support in ebtables is CONFIG_BRIDGE_EBT_IP6. You can see this config directive exists on EL6:
but doesn't exist on EL5:
So if you want IPv6 support in EL5's ebtables you'll need to get the xtables patches from 2.6.20 and backport it to 2.6.18 yourself.
If you're not a kernel developer who is very familiar with C programming and upstream Linux kernel changes around 2006-2009 this is probably not feasible.
Like others have said, don't use IPv6 on EL5. Don't roll out new EL5 systems full stop, it's almost end of life. Use something newer.
Failing that, try to do what you want to do using ip6tables instead of ebtables.
You also might be able to use the old ELRepo kernel-lt on EL5. It's a long-life upstream 3.2 kernel and probably has ebt_ip6 already compiled in: http://elrepo.org/linux/kernel/el5/
Red Hat were able to backport some of this to EL5, but not all of it, because they have an ABI guarantee to keep.
For example, ip6tables on EL5 has no stateful connection tracking, which is why the range of high numbered ports are just allowed in. Security!
So, can you just rebuild an EL5 kernel with the ebt_ip6 module? No.
The kernel build option for IPv6 support in ebtables is CONFIG_BRIDGE_EBT_IP6. You can see this config directive exists on EL6:
Code: Select all
# egrep "EBT_IP" /boot/config-2.6.32-504.1.3.el6.x86_64
CONFIG_BRIDGE_EBT_IP=m
CONFIG_BRIDGE_EBT_IP6=m
Code: Select all
# egrep "EBT_IP" /boot/config-2.6.18-400.el5
CONFIG_BRIDGE_EBT_IP=m
If you're not a kernel developer who is very familiar with C programming and upstream Linux kernel changes around 2006-2009 this is probably not feasible.
Like others have said, don't use IPv6 on EL5. Don't roll out new EL5 systems full stop, it's almost end of life. Use something newer.
Failing that, try to do what you want to do using ip6tables instead of ebtables.
You also might be able to use the old ELRepo kernel-lt on EL5. It's a long-life upstream 3.2 kernel and probably has ebt_ip6 already compiled in: http://elrepo.org/linux/kernel/el5/
- Super Jamie
- Posts: 310
- Joined: 2014/01/10 23:44:51
Re: ebtables ipv6 support
I just tried that. It's in there:
Code: Select all
# egrep EBT_IP /boot/config-3.2.66-1.el5.elrepo
CONFIG_BRIDGE_EBT_IP=m
CONFIG_BRIDGE_EBT_IP6=m
# modinfo ebt_ip6
filename: /lib/modules/3.2.66-1.el5.elrepo/kernel/net/bridge/netfilter/ebt_ip6.ko
license: GPL
author: Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
description: Ebtables: IPv6 protocol packet match
Re: ebtables ipv6 support
These are for existing servers, and the IPv6 seems to work as fine, just need this last piece of the puzzle.
The only issue with using elrepo repo is we are using Xen at the moment. These are existing nodes, we wouldn't consider using CentOS 5 for a new deployment.
The only issue with using elrepo repo is we are using Xen at the moment. These are existing nodes, we wouldn't consider using CentOS 5 for a new deployment.
- Super Jamie
- Posts: 310
- Joined: 2014/01/10 23:44:51
Re: ebtables ipv6 support
Then your options are to switch from paravirt (kernel-xen) to full virt (kernel and kernel-lt) or use ip6tables instead.