diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 41340daaa..5b65e850c 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -139,6 +139,8 @@ DELAYBLACKLISTLOAD=No MODULE_SUFFIX= +DISABLE_IPV6=Yes + BRIDGING=No DYNAMIC_ZONES=No diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf index ed0fc6aaa..bc04c03ea 100644 --- a/Samples/three-interfaces/shorewall.conf +++ b/Samples/three-interfaces/shorewall.conf @@ -139,6 +139,8 @@ DELAYBLACKLISTLOAD=No MODULE_SUFFIX= +DISABLE_IPV6=Yes + BRIDGING=No DYNAMIC_ZONES=No diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf index e73bc7163..0f13434e3 100644 --- a/Samples/two-interfaces/shorewall.conf +++ b/Samples/two-interfaces/shorewall.conf @@ -146,6 +146,8 @@ DELAYBLACKLISTLOAD=No MODULE_SUFFIX= +DISABLE_IPV6=Yes + BRIDGING=No DYNAMIC_ZONES=No diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 9da865b28..878984218 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -407,6 +407,9 @@ sub generate_script_3($) { ' rm -f ${VARDIR}/nat', "fi\n" ); } + + emit "disable_ipv6\n" if $config{DISABLE_IPV6}; + } else { emit ( '#', '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index cf47c41c3..a44116d41 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -188,7 +188,7 @@ our %config; # # Config options and global settings that are to be copied to object script # -our @propagateconfig = qw/ MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /; +our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /; our @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /; # # From parsing the capabilities file or detecting capabilities @@ -2306,8 +2306,7 @@ sub get_configuration( $ ) { default_yes_no 'ADMINISABSENTMINDED' , ''; default_yes_no 'BLACKLISTNEWONLY' , ''; - - warning_message 'DISABLE_IPV6=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DISABLE_IPV6}; + default_yes_no 'DISABLE_IPV6' , ''; unsupported_yes_no 'DYNAMIC_ZONES'; unsupported_yes_no 'BRIDGING'; diff --git a/Shorewall/Perl/prog.functions b/Shorewall/Perl/prog.functions index c6e5b0240..bfa3a536c 100644 --- a/Shorewall/Perl/prog.functions +++ b/Shorewall/Perl/prog.functions @@ -31,6 +31,14 @@ clear_firewall() { echo 1 > /proc/sys/net/ipv4/ip_forward + if [ -n "$DISABLE_IPV6" ]; then + if qt mywhich ip6tables; then + ip6tables -P INPUT ACCEPT 2> /dev/null + ip6tables -P OUTPUT ACCEPT 2> /dev/null + ip6tables -P FORWARD ACCEPT 2> /dev/null + fi + fi + run_clear_exit set_state "Cleared" diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index 3f1981382..615cea2b4 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -853,6 +853,28 @@ detect_gateway() # $1 = interface [ -n "$gateway" ] && echo $gateway } +# +# Disable IPV6 +# +disable_ipv6() { + local foo + foo="$($IP -f inet6 addr list 2> /dev/null)" + + if [ -n "$foo" ]; then + if qt mywhich ip6tables; then + ip6tables -P FORWARD DROP + ip6tables -P INPUT DROP + ip6tables -P OUTPUT DROP + ip6tables -F + ip6tables -X + ip6tables -A OUTPUT -o lo -j ACCEPT + ip6tables -A INPUT -i lo -j ACCEPT + else + error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" + fi + fi +} + # Function to truncate a string -- It uses 'cut -b -' # rather than ${v:first:last} because light-weight shells like ash and # dash do not support that form of expansion. diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index aa7cc01d1..844d2ab79 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,8 +1,6 @@ Changes in Shorewall 4.4.0-Beta4 -1) Delete DISABLE_IPV6. - -2) Add more macros. +1) Add more macros. Changes in Shorewall 4.4.0-Beta3 diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 04451554d..fad9bef1e 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -137,6 +137,8 @@ DELAYBLACKLISTLOAD=No MODULE_SUFFIX= +DISABLE_IPV6=Yes + BRIDGING=No DYNAMIC_ZONES=No diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c7a39db89..ebe2afa23 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -109,17 +109,33 @@ Shorewall 4.4.0 Beta 4 As part of this change, the fallback.sh scripts are no longer released. -9) The DISABLE_IPV6 option has been removed from Shorewall.conf. If - you need to control IPV6 traffic, install Shorewall6. - ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 Beta 4 + P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 Beta 3 ---------------------------------------------------------------------------- 1) The BGP and OSFP macros released in Beta 3 contained rules to allow administrative access to the related routing daemons. Those rules have been deleted. +2) Previously, if Address Type Match was not available and an + interface on the firewall was (mis-)configured as shown below, then + REJECT policies in Shorewall-perl would drop packets addressed to + the interface rather than reject them. + + 3: venet0: mtu 1500 ... + inet 127.0.0.1/32 scope host venet0 + inet 206.124.146.176/32 brd 206.124.146.176 ... + + Note that a /32 should never be configured with a broadcast + address. + +3) Due to a syntax ambiguity arising from the new dynamic zone + implementation, 'shorewall show dynamic' produced no output. It now + shows the contents of the dynamic blacklist as in earlier + Shorewall releases. + +4) The 'findgw' script produced an error if VERBOSITY > 0. + ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -138,7 +154,7 @@ None. macro.RIPbi macro.mDNS ---------------------------------------------------------------------------- +---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 4 ---------------------------------------------------------------------------- @@ -767,16 +783,3 @@ None. 26) A new extension script, 'lib.private' has been added. This file is intended to include declarations of shell functions that will be called by the other run-time extension scripts. - -27) Three new macros have been contributed by Alex Wilms. - - macro.BGP - macro.Citrix - macro.OSPF - macro.Razor - -28) The Shorewall compiler now checks for availability of the LOG - target if the configuration does any logging. This change involves - a new version of the capabilities file so users employing a - capabilties file should re-generate that file before trying to - start/restart Shorewall.