From 4efac2fda17cbc89a07b1d079494a17c8eb477eb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 6 Feb 2020 15:21:51 -0800 Subject: [PATCH] Handle essential IPv6-ICMP types when firewall is stopped Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index ccc5306b6..0de55c4a4 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -2540,6 +2540,7 @@ sub compile_stop_firewall( $$$$ ) { my $input = $filter_table->{INPUT}; my $output = $filter_table->{OUTPUT}; my $forward = $filter_table->{FORWARD}; + my $absentminded = $config{ ADMINISABSENTMINDED }; emit <<'EOF'; # @@ -2547,7 +2548,7 @@ sub compile_stop_firewall( $$$$ ) { # stop_firewall() { EOF - $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED}; + $output->{policy} = 'ACCEPT' if $absentminded; if ( $family == F_IPV4 ) { emit <<'EOF'; @@ -2706,7 +2707,7 @@ EOF # create_docker_rules if $config{DOCKER}; - if ( $config{ADMINISABSENTMINDED} ) { + if ( $absentminded ) { add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/; } @@ -2715,7 +2716,7 @@ EOF add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL; add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST; - unless ( $config{ADMINISABSENTMINDED} ) { + unless ( $absentminded ) { add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL; add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST; } @@ -2729,12 +2730,25 @@ EOF process_stoppedrules; + if ( $family == F_IPV6 ) { + my $chain = new_action_chain( 'filter', 'AllowICMPs' ); + + for my $type ( 1, 2, 3, 4, 130, 131, 132, 133, 134, 135, 136, 137, 141, 142, 143, 148, 149, 151, 152, 153 ) { + add_ijump( $chain, j => 'ACCEPT', p => IPv6_ICMP . " --icmpv6-type $type" ); + } + + for $chain ( $input, $output, $forward ) { + next if $chain eq $output && $absentminded; + add_ijump( $chain, j => 'AllowICMPs', p => IPv6_ICMP ); + } + } + if ( have_capability 'IFACE_MATCH' ) { add_ijump $input, j => 'ACCEPT', iface => '--dev-in --loopback'; - add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED}; + add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $absentminded; } else { add_ijump $input, j => 'ACCEPT', i => loopback_interface; - add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED}; + add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $absentminded; } my $interfaces = find_interfaces_by_option 'dhcp'; @@ -2744,7 +2758,7 @@ EOF for my $interface ( @$interfaces ) { add_ijump $input, j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface ); - add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $config{ADMINISABSENTMINDED}; + add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $absentminded; # # This might be a bridge #