From bdd124b5048cf87f9bf51ad3866ed75a2e5e0d34 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 9 Jul 2009 10:29:56 -0700 Subject: [PATCH] Derive IP6TABLES from IPTABLES --- Shorewall/Perl/Shorewall/Chains.pm | 26 ++++++++++++++++++++++++-- Shorewall/Perl/prog.header | 16 ++++++++-------- Shorewall/releasenotes.txt | 10 ++++++++++ 3 files changed, 42 insertions(+), 10 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 021b45f83..8cc6f7081 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2040,14 +2040,36 @@ sub mysplit( $ ) { # sub set_chain_variables() { if ( $family == F_IPV4 ) { - if ( $config{IPTABLES} ) { - emit( qq(IPTABLES="$config{IPTABLES}"), + my $checkname = 0; + my $iptables = $config{IPTABLES}; + + if ( $iptables ) { + emit( qq(IPTABLES="$iptables"), '[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"', ); + $checkname = 1 unless $iptables =~ '/'; } else { emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES', '[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"' ); + $checkname = 1; + } + + if ( $checkname ) { + emit ( '', + 'case $IPTABLES in', + ' */*)', + ' ;;', + ' *)', + ' IPTABLES=./$IPTABLES', + ' ;;', + 'esac', + '', + 'IP6TABLES=${IPTABLES%/*}/ip6tables' + ); + } else { + $iptables =~ s|/[^/]*$|/ip6tables|; + emit ( "IP6TABLES=$iptables" ); } emit( 'IPTABLES_RESTORE=${IPTABLES}-restore', diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index 615cea2b4..605f6bf32 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -861,14 +861,14 @@ disable_ipv6() { foo="$($IP -f inet6 addr list 2> /dev/null)" if [ -n "$foo" ]; then - if qt mywhich ip6tables; then - ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - ip6tables -F - ip6tables -X - ip6tables -A OUTPUT -o lo -j ACCEPT - ip6tables -A INPUT -i lo -j ACCEPT + if [ -x "$IP6TABLES" ]; then + $IP6TABLES -P FORWARD DROP + $IP6TABLES -P INPUT DROP + $IP6TABLES -P OUTPUT DROP + $IP6TABLES -F + $IP6TABLES -X + $IP6TABLES -A OUTPUT -o lo -j ACCEPT + $IP6TABLES -A INPUT -i lo -j ACCEPT else error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" fi diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index ebe2afa23..98977e037 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -154,6 +154,16 @@ None. macro.RIPbi macro.mDNS +2) The default value of DISABLE_IPV6 has been changed from 'Yes' to + 'No' in all sample shorewall.conf files. Shorewall6 should be + installed to restrict IPv6 traffic. + + As part of this change, the ip6tables program in the directory + specified by the IPTABLES setting will be used to disable IPv6. If + the iptables utility is discovered using the PATH setting, then + ip6tables in the same directory as the discovered iptables will be + used. + ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 4 ----------------------------------------------------------------------------