iptables-Module mit 05er FW / aktuellem Trunk

[olistudent]

The AVM closed kernel modules won't load. So you will not be able to use DSL...

Regards
Oliver

 

[poruid]

When having both nf_contrack* and AVM's generic conntracking modules loaded the system log show many messages like:

avm_pa "pid changed for"

and connections to the Internet become slow and http requests yield incomplete pages. It seems some IP packages are lost.

It seems that a statefull firewall, i.e. a filrewall with iptables rules with a state match, which depends on xt_state that itself depends on nf_conntrack*, is yet not feasible with a firmware based on the AVM 05 firmware. So for the time being it's back to freetz 1.2 (which is based on the AVM 04 firmware and the 2.6.19.2 kernel. (And since I use dnsmasq to do router adverticement, DHCP6 and local IPv6 DNS, radvd cannot do the two latter two functions, I've backported dnsmasq 2.63 to freetz 1.2.).

I've not yet tried a 05 based firmware with AVM_PA and GENERIC_CONNTRACK modules disabled. I report the results once I had the possibility to test that.

 

[JohnDoe42]

Hi,

in my case a 7270v3 with a current trunk-image (based on the 74.05.22) and a replaced kernel all stateful rules are being carried out, in particular something like that:

iptables -A TRANS -m state --state RELATED,ESTABLISHED -j ACCEPT

Greetz,

JD.

 

[poruid]

@JD, did you disable AVM_PA and GENERIC_CONNTRACK in the kernel config?
P

 

[JohnDoe42]

No, I didn't disable any of both.
Do you know if these kernels are correct ?

7270v2: 2.6.32.21 (with non-replaced kernel)
7270v3: 2.6.26.41

See also here.

Greets,

JD.