[Firehol-devs] IPv6 support

Phil Whineray phil at sanewall.org
Sun Feb 9 08:19:31 GMT 2014


Hi Andreas

On 12 January 2014 12:50, Phil Whineray <phil at sanewall.org> wrote:
> On Sun, Jan 12, 2014 at 11:55:47AM +0100, Andreas Unterkircher wrote:
>> >Looking at your example I think I should look at making the group with
>> >command keep the ipv4 decoration for the enclosed rules, and maybe add
>> >group4 and group6 synonyms.
>>
>> I also think this would be a good idea.
>> Having to prefix everything with "ipv4" or "ipv6" makes reading the
>> ruleset hard.
>>
>> IMHO it would be create if you start a group4, everything nested is
>> ipv4 only (respectively ipv6 if group6). But it could get a bit
>> nasty if multiple groups are nested and you need to keep traffic of
>> an "ipvX" flag.
>
> I've created an issue to track it:
>   https://github.com/ktsaou/firehol/issues/18
>
> Nesting ipv6 within ipv4 etc. is prohibited currently because it makes
> very little sense. I will keep those semantics.
>
> The possibility of nesting groups within groups adds a little more
> complexity but hopefully should be manageable.

The latest ipv6 build includes some code which will allow you to
create ipv4 or ipv6 only groups within a combined interface or router.

It should be possible to nest groups but you can't nest ipv4 within an
ipv6 group nor the reverse, so once you have specified it further
sub-groups are fixed. I don't think this will matter much, provided
you start with the more general groups higher up.

See http://firehol.org/download/unsigned/ipv6/

Cheers
Phil



More information about the Firehol-devs mailing list