[Firehol-support] [ANNOUNCE] FireHOL 2.0.4 and 3.0.1 released

[Phil Whineray]

All

I have released versions 2.0.4 and 3.0.1 of FireHOL.

As usual, you can get them from the website:
  http://firehol.org/download/releases/v2.0.4/
  http://firehol.org/download/releases/v3.0.1/

Unless you have a compelling reason to stay with v2, it is recommended
you now upgrade to the 3.x series, which is where most work will take
place in future.

Major changes:

This release has been made to add an extra helper "ipv6mld" and update
the recommended icmpv6 handling example to make it more likely that this
will work for everyone unchanged.

In particular "client ipv6mld accept" should be used on any interfaces
taking part on a network which has multicast snooping enabled. Depending
on the snooping, not having this may prevent neighbour and router
discovery from working. Not everyone likes MLD though, so you may want
to read up on it as many network configurations will work fine without.

My new recommendation for enabling icmpv6 on hosts is to define a
special interface before your regular ones, like this:

  version 6

  ipv6 interface any ipv6interop proto icmpv6
    policy return
    client ipv6neigh accept
    server ipv6neigh accept
    client ipv6mld accept
    client ipv6router accept
    server ipv6error accept

    # If this machine is routing traffic, it will need to be able
    # to send Router Advertisment messages and Multicast Listener Queries
    #server ipv6router accept
    #server ipv6mld accept

There is then no need to include these rules in each subsequent interface.
Routers will still need rules adding for ipv6error.

Minor:

Version 3.0.1 also adds pre_up to vnetbuild to allow running commands
in a namespace before an interface is brought up.

Regards
Phil