[Firehol-support] IPv6 support
Andreas Unterkircher
unki at netshadow.at
Tue Feb 8 10:08:01 GMT 2011
Hi Phil,
> This list has the occasional question about ipv6 support for firehol, which
> is not in the official tree.
>
> I created a few patches a while back which got it working well enough for my
> purposes. To try to make life a bit easier, so people don't have to apply the
> patches themselves, I've created a git reposiory with the changes applied.
Thanks for this patch. I was just giving it a try and noted a little
problem with the iptables command when directly used in firehol.conf
(as definied here in [1]).
If I placed the following line in firehol.conf
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
pure v4 firehol will invoke it as
/sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
With the IPv6 patch it expands this call to
both iptables_cmd -A FORWARD -i eth0 -o eth1 -j ACCEPT
leading to get this command executed for iptables & ip6tables. Not a
problem here, with just a interface match. But when I'm adding some v4
addresses (src, dst match) this one let firehol fail when it stumbles
over ip6tables failing on v4 addresses in its parameters.
IMHO for [1] it would be better to use a separate command for
"iptables" and introduce a new command "ip6tables" and not bundle this
with the both() function.
What do you think?
Regards,
Andreas
[1] http://firehol.sourceforge.net/commands.html?#iptables
More information about the Firehol-support
mailing list