sid3windr
commented
8 years ago In the meanwhile I do understand why it's there - any kernel without nat support for ipv6 will break if the nat table header file is included in the iptables-restore file. This feature was introduced in Linux kernel 3.9.
However this means that:
- If a user creates nat-table ipv6 rules through this module, on an older kernel, the file will not load as those rules are not valid for the filter table.
- If a user creates nat-table ipv6 rules through this module, on a recent enough kernel, the file will not load as, while the rules are valid, the *nat table header is not being included.
File not loading is not great, as this means none of the specified rules will apply and the box will be wide open over ipv6... :(
I'm not too sure what the right solution is here... Kernel version check?
alvagante
Not sure why this is there, but there is an if !$is_ipv6 {} block around the NAT table header/footer concat emitter.
Creating rules with table => 'nat' is allowed, however, but this means they end up without a header/footer, causing rules to obviously fail.
Removing the if block fixes things.