Derive IP6TABLES from IPTABLES

2009-07-09 10:29:56 -07:00 · 2009-07-09 10:29:56 -07:00 · bdd124b504
commit bdd124b504
parent 047a5caffd
3 changed files with 42 additions and 10 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -2040,14 +2040,36 @@ sub mysplit( $ ) {
 #
 sub set_chain_variables() {
    if ( $family == F_IPV4 ) {
-	if ( $config{IPTABLES} ) {
-	    emit( qq(IPTABLES="$config{IPTABLES}"),
+	my $checkname = 0;
+	my $iptables  = $config{IPTABLES};
+
+	if ( $iptables ) {
+	    emit( qq(IPTABLES="$iptables"),
 		  '[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"',
 		);
+	    $checkname = 1 unless $iptables =~ '/';
 	} else {
 	    emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES',
 		  '[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"'
 		);
+	    $checkname = 1;
+	}
+
+	if ( $checkname ) {
+	    emit ( '',
+		   'case $IPTABLES in',
+		   '    */*)',
+		   '        ;;',
+		   '    *)',
+		   '        IPTABLES=./$IPTABLES',
+		   '        ;;',
+		   'esac',
+		   '',
+		   'IP6TABLES=${IPTABLES%/*}/ip6tables'
+		 );
+	} else {
+	    $iptables =~ s|/[^/]*$|/ip6tables|;
+	    emit ( "IP6TABLES=$iptables" );
 	}

 	emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@ -861,14 +861,14 @@ disable_ipv6() {
    foo="$($IP -f inet6 addr list 2> /dev/null)"

    if [ -n "$foo" ]; then
-	if qt mywhich ip6tables; then
-	    ip6tables -P FORWARD DROP
-	    ip6tables -P INPUT DROP
-	    ip6tables -P OUTPUT DROP
-	    ip6tables -F
-	    ip6tables -X
-	    ip6tables -A OUTPUT -o lo -j ACCEPT
-	    ip6tables -A INPUT -i lo -j ACCEPT
+	if [ -x "$IP6TABLES" ]; then
+	    $IP6TABLES -P FORWARD DROP
+	    $IP6TABLES -P INPUT DROP
+	    $IP6TABLES -P OUTPUT DROP
+	    $IP6TABLES -F
+	    $IP6TABLES -X
+	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
+	    $IP6TABLES -A INPUT -i lo -j ACCEPT
 	else
 	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
 	fi
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -154,6 +154,16 @@ None.
 	 macro.RIPbi
 	 macro.mDNS

+2)  The default value of DISABLE_IPV6 has been changed from 'Yes' to
+    'No' in all sample shorewall.conf files. Shorewall6 should be
+    installed to restrict IPv6 traffic.
+
+    As part of this change, the ip6tables program in the directory
+    specified by the IPTABLES setting will be used to disable IPv6. If
+    the iptables utility is discovered using the PATH setting, then
+    ip6tables in the same directory as the discovered iptables will be
+    used.
+
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   IN   4 . 4
 ----------------------------------------------------------------------------