extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 17:13:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Handle essential IPv6-ICMP types when firewall is stopped

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-02-06 15:21:51 -08:00
parent 5f50b70618
commit 4efac2fda1
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
1 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -2540,6 +2540,7 @@ sub compile_stop_firewall( $$$$ ) {
my $input = $filter_table->{INPUT}; my $input = $filter_table->{INPUT};
my $output = $filter_table->{OUTPUT}; my $output = $filter_table->{OUTPUT};
my $forward = $filter_table->{FORWARD}; my $forward = $filter_table->{FORWARD};
my $absentminded = $config{ ADMINISABSENTMINDED };
emit <<'EOF'; emit <<'EOF';
# #
@ -2547,7 +2548,7 @@ sub compile_stop_firewall( $$$$ ) {
# #
stop_firewall() { stop_firewall() {
EOF EOF
$output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED}; $output->{policy} = 'ACCEPT' if $absentminded;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
emit <<'EOF'; emit <<'EOF';
@ -2706,7 +2707,7 @@ EOF
# #
create_docker_rules if $config{DOCKER}; create_docker_rules if $config{DOCKER};
if ( $config{ADMINISABSENTMINDED} ) { if ( $absentminded ) {
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/; add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
} }
@ -2715,7 +2716,7 @@ EOF
add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL; add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL;
add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST; add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST;
unless ( $config{ADMINISABSENTMINDED} ) { unless ( $absentminded ) {
add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL; add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL;
add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST; add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST;
} }
@ -2729,12 +2730,25 @@ EOF
process_stoppedrules; process_stoppedrules;
if ( $family == F_IPV6 ) {
my $chain = new_action_chain( 'filter', 'AllowICMPs' );
for my $type ( 1, 2, 3, 4, 130, 131, 132, 133, 134, 135, 136, 137, 141, 142, 143, 148, 149, 151, 152, 153 ) {
add_ijump( $chain, j => 'ACCEPT', p => IPv6_ICMP . " --icmpv6-type $type" );
}
for $chain ( $input, $output, $forward ) {
next if $chain eq $output && $absentminded;
add_ijump( $chain, j => 'AllowICMPs', p => IPv6_ICMP );
}
}
if ( have_capability 'IFACE_MATCH' ) { if ( have_capability 'IFACE_MATCH' ) {
add_ijump $input, j => 'ACCEPT', iface => '--dev-in --loopback'; add_ijump $input, j => 'ACCEPT', iface => '--dev-in --loopback';
add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED}; add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $absentminded;
} else { } else {
add_ijump $input, j => 'ACCEPT', i => loopback_interface; add_ijump $input, j => 'ACCEPT', i => loopback_interface;
add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED}; add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $absentminded;
} }
my $interfaces = find_interfaces_by_option 'dhcp'; my $interfaces = find_interfaces_by_option 'dhcp';
@ -2744,7 +2758,7 @@ EOF
for my $interface ( @$interfaces ) { for my $interface ( @$interfaces ) {
add_ijump $input, j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface ); add_ijump $input, j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface );
add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $config{ADMINISABSENTMINDED}; add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $absentminded;
# #
# This might be a bridge # This might be a bridge
# #