In case of the DROP policy in the INPUT chain a host using IPv6 still might need to receive TCP packets for established connections, that is to have the rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT in its INPUT chain of ip6tables. For this feature to work the option CONFIG_NF_CONNTRACK_IPV6 needs to be enabled. Signed-off-by: Dmitry Rozhkov <dmitry.rozh...@linux.intel.com> --- features/netfilter/netfilter.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/features/netfilter/netfilter.cfg b/features/netfilter/netfilter.cfg index 8ecef4a..99fa30f 100644 --- a/features/netfilter/netfilter.cfg +++ b/features/netfilter/netfilter.cfg @@ -68,6 +68,7 @@ CONFIG_NETFILTER_XT_MATCH_U32=m # CONFIG_NF_DEFRAG_IPV4=m CONFIG_NF_CONNTRACK_IPV4=m +CONFIG_NF_CONNTRACK_IPV6=m CONFIG_NF_CONNTRACK_PROC_COMPAT=y CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_AH=m -- 2.7.4 -- _______________________________________________ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto