[Firehol-support] IPv6 support
Phil Whineray
phil.whineray at gmail.com
Tue Feb 8 19:15:20 GMT 2011
Hi Andreas
On 8 February 2011 10:08, Andreas Unterkircher <unki at netshadow.at> wrote:
> Thanks for this patch. I was just giving it a try and noted a little problem
> with the iptables command when directly used in firehol.conf (as definied
> here in [1]).
Thanks for the input.
> If I placed the following line in firehol.conf
>
> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> pure v4 firehol will invoke it as
>
> /sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> With the IPv6 patch it expands this call to
>
> both iptables_cmd -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> leading to get this command executed for iptables & ip6tables. Not a problem
> here, with just a interface match. But when I'm adding some v4 addresses
> (src, dst match) this one let firehol fail when it stumbles over ip6tables
> failing on v4 addresses in its parameters.
Actually, the parameters should be checked and if there are IPv4 or
IPv6 only parameters they should be detected and only that version
run.
I appreciate it changes the meaning of "iptables" in the context of
http://firehol.sourceforge.net/commands.html?#iptables
but I think it makes life easier if this is adjuested to call the
correct executable taking account of the context. Then I only need to
apply specific syntax if that's exactly what I mean e.g.:
ipv4 iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
> IMHO for [1] it would be better to use a separate command for "iptables" and
> introduce a new command "ip6tables" and not bundle this with the both()
> function.
>
> What do you think?
Is the behaviour causing you a problem? It could be that you are running
into a problem with the auto-detection.
I don't object as such to the idea of changing the command name but
for my own part I don't think it's really needed.
I just tried a quick test and provided you don't try to mix and match IPv6
and IPv4 parameters it should pretty much do the right thing i.e. the
following:
pdw at pdw-compaq:~/src/fireholvi$ cat test.conf
version 5
interface eth0 lan
policy deny
interface wlan0 wan
policy deny
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT -s "192.168.168.168"
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT -s "fe80::9999"
pdw at pdw-compaq:~/src/fireholvi$ sudo ./firehol.sh test.conf
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file test.conf: OK
FireHOL: Activating new firewall (31 rules): OK
Keep the firewall? (type 'commit' to accept - 30 seconds timeout) : commit
Successfull activation of FireHOL firewall.
pdw at pdw-compaq:~/src/fireholvi$ sudo iptables -n -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.168.168 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 1/sec burst 5 LOG flags 0 level 4 prefix `PASS-unknown:'
DROP all -- 0.0.0.0/0 0.0.0.0/0
pdw at pdw-compaq:~/src/fireholvi$ sudo ip6tables -n -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all fe80::9999/128 ::/0
ACCEPT all ::/0 ::/0 state RELATED
LOG all ::/0 ::/0 limit:
avg 1/sec burst 5 LOG flags 0 level 4 prefix `PASS-unknown:'
DROP all ::/0 ::/0
Regards
Phil
More information about the Firehol-support
mailing list