[Firehol-support] IPv6 support

Phil Whineray phil.whineray at gmail.com
Tue Feb 8 20:15:20 CET 2011


Hi Andreas

On 8 February 2011 10:08, Andreas Unterkircher <unki at netshadow.at> wrote:
> Thanks for this patch. I was just giving it a try and noted a little problem
> with the iptables command when directly used in firehol.conf (as definied
> here in [1]).

Thanks for the input.

> If I placed the following line in firehol.conf
>
> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> pure v4 firehol will invoke it as
>
> /sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> With the IPv6 patch it expands this call to
>
> both iptables_cmd -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> leading to get this command executed for iptables & ip6tables. Not a problem
> here, with just a interface match. But when I'm adding some v4 addresses
> (src, dst match) this one let firehol fail when it stumbles over ip6tables
> failing on v4 addresses in its parameters.

Actually, the parameters should be checked and if there are IPv4 or
IPv6 only parameters they should be detected and only that version
run.

I appreciate it changes the meaning of "iptables" in the context of
    http://firehol.sourceforge.net/commands.html?#iptables
but I think it makes life easier if this is adjuested to call the
correct executable  taking account of the context. Then I only need to
apply specific syntax if that's exactly what I mean e.g.:

  ipv4 iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

> IMHO for [1] it would be better to use a separate command for "iptables" and
> introduce a new command "ip6tables" and not bundle this with the both()
> function.
>
> What do you think?

Is the behaviour causing you a problem? It could be that you are running
into a problem with the auto-detection.

I don't object as such to the idea of changing the command name but
for my own part I don't think it's really needed.

I just tried a quick test and provided you don't try to mix and match IPv6
and IPv4 parameters it should pretty much do the right thing i.e. the
following:

pdw at pdw-compaq:~/src/fireholvi$ cat test.conf
version 5

interface eth0 lan
	policy deny

interface wlan0 wan
	policy deny

iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT -s "192.168.168.168"
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT -s "fe80::9999"

pdw at pdw-compaq:~/src/fireholvi$ sudo ./firehol.sh test.conf
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file test.conf: OK
FireHOL: Activating new firewall (31 rules): OK
Keep the firewall? (type 'commit' to accept - 30 seconds timeout) : commit

Successfull activation of FireHOL firewall.
pdw at pdw-compaq:~/src/fireholvi$ sudo iptables -n -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.168.168      0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit:
avg 1/sec burst 5 LOG flags 0 level 4 prefix `PASS-unknown:'
DROP       all  --  0.0.0.0/0            0.0.0.0/0

pdw at pdw-compaq:~/src/fireholvi$ sudo ip6tables -n -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all      fe80::9999/128       ::/0
ACCEPT     all      ::/0                 ::/0                state RELATED
LOG        all      ::/0                 ::/0                limit:
avg 1/sec burst 5 LOG flags 0 level 4 prefix `PASS-unknown:'
DROP       all      ::/0                 ::/0

Regards
Phil




More information about the Firehol-support mailing list