Below is a little test script. Because the state command fails, I have to include the subsequent accept all statement to get v6 connections to work.
# test script of "state" of ip6tables;
# iptables 1.4.13-r1 compiled with "ipv6";
# kernels: linux-3.4.3-gentoo linux-3.4.3-hardened each installed/fail
# firewall, conntrack, netfilter options compiled in.
# test is conducted by following two outbound connection attempts:
# ping6 2607:f8b0:4002:802::1011 (google v6)
# script below:
echo "Stopping; clearing v6 firewall and allowing everyone everywhere..."
# ip6tables -t nat -F
# ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
# now we attempt outbound v6 connections:
ip6tables -A OUTPUT -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # this
# doesn't work; the test fails; the packet is not accepted; and the
# following statement is required to accept the incoming
# ip6tables -A INPUT -j ACCEPT # comment this line on/off to test the preceding
ip6tables -A INPUT -j DROP
Steps to Reproduce:
1. run the script with the accept all statement included; then with it commented out
have you reported this upstream ?
If you'd prefer, I will. Would appreciate it if you'd run the script and confirm that it fails on your box as well.
O.K. I've filed directly with Iptables and will discuss with them.
Please mark this as handed upstream, irrelevent, removed, fixed, dismissed, or anything else standard and remove any record of my having been here.
can you fill in the URL field with the relevant bug report/mailing list ?
This bug was reported to upstream and tracked by upstream as http://bugzilla.netfilter.org/show_bug.cgi?id=796
Maybe someone could set $URL?
Also, as you can see, the reporter says the bug report is invalid, because it was an 6to4 error. So the Gentoo bug report should also be closed according to upstream's bug state.