diff options
| author | Bob Gilligan <gilligan@vyatta.com> | 2009-09-22 15:52:31 -0700 |
|---|---|---|
| committer | Bob Gilligan <gilligan@vyatta.com> | 2009-09-22 15:52:31 -0700 |
| commit | 4a71e47b4e79daff824546b539612b8747569856 (patch) | |
| tree | 999686214eef9f2001b88b9afe74ea38331bf45e | |
| parent | acecb392ff2bf3b6e6bf46f699c4b63bbe013b91 (diff) | |
| download | vyatta-cfg-firewall-4a71e47b4e79daff824546b539612b8747569856.tar.gz vyatta-cfg-firewall-4a71e47b4e79daff824546b539612b8747569856.zip | |
Bugfix 4951: Don't fail if IPv6 kernel module is not loaded.
Handle the case where the IPv6 kernel module is not loaded more gracefully.
| -rw-r--r-- | scripts/firewall/firewall.init.in | 23 | ||||
| -rw-r--r-- | templates/firewall/ipv6-receive-redirects/node.def | 42 | ||||
| -rw-r--r-- | templates/firewall/ipv6-src-route/node.def | 38 |
3 files changed, 58 insertions, 45 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in index ea60955..c3a0115 100644 --- a/scripts/firewall/firewall.init.in +++ b/scripts/firewall/firewall.init.in @@ -44,6 +44,7 @@ declare -a modules=( ## setup firewall & nat conntrack modules start () { + for mod in ${modules[@]} ; do modprobe --syslog $mod done @@ -53,9 +54,19 @@ start () { iptables -t raw -A PREROUTING -j NOTRACK iptables -t raw -A OUTPUT -j NOTRACK - # set up notrack chains/rules for IPv6 - ip6tables -t raw -A PREROUTING -j NOTRACK - ip6tables -t raw -A OUTPUT -j NOTRACK + if [ -d /proc/sys/net/ipv6 ] ; then + # set up notrack chains/rules for IPv6 + ip6tables -t raw -A PREROUTING -j NOTRACK + ip6tables -t raw -A OUTPUT -j NOTRACK + + # set up post-firewall hook for IPv6 + ip6tables -N VYATTA_POST_FW_HOOK + ip6tables -A VYATTA_POST_FW_HOOK -j ACCEPT + ip6tables -A INPUT -j VYATTA_POST_FW_HOOK + ip6tables -A FORWARD -j VYATTA_POST_FW_HOOK + else + logger -t "Vyatta firewall init" -p warning "Kernel IPv6 support disabled. Not initializing IPv6 firewall" + fi # set up post-firewall hook for IPv4 iptables -N VYATTA_POST_FW_HOOK @@ -63,12 +74,6 @@ start () { iptables -A INPUT -j VYATTA_POST_FW_HOOK iptables -A FORWARD -j VYATTA_POST_FW_HOOK - # set up post-firewall hook for IPv6 - ip6tables -N VYATTA_POST_FW_HOOK - ip6tables -A VYATTA_POST_FW_HOOK -j ACCEPT - ip6tables -A INPUT -j VYATTA_POST_FW_HOOK - ip6tables -A FORWARD -j VYATTA_POST_FW_HOOK - # set up pre-SNAT hook iptables -t nat -N VYATTA_PRE_SNAT_HOOK iptables -t nat -A VYATTA_PRE_SNAT_HOOK -j RETURN diff --git a/templates/firewall/ipv6-receive-redirects/node.def b/templates/firewall/ipv6-receive-redirects/node.def index 5ca9e49..a7bd2c8 100644 --- a/templates/firewall/ipv6-receive-redirects/node.def +++ b/templates/firewall/ipv6-receive-redirects/node.def @@ -15,26 +15,30 @@ default: "disable" syntax:expression: $VAR(@) in "enable", "disable"; "icmpv6-receive-redirects must be enable or disable" update: - array=(`ls /proc/sys/net/ipv6/conf/`) - array_len=${#array[*]} - i=0 - while [ $i -lt $array_len ]; do - if [ x$VAR(@) == xenable ]; then - sudo sh -c "echo 1 > \ - /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" - else - sudo sh -c "echo 0 > \ - /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" - fi - let i++ - done - -delete: + if [ -d /proc/sys/net/ipv6 ]; then array=(`ls /proc/sys/net/ipv6/conf/`) array_len=${#array[*]} - i=0 + i=0 + while [ $i -lt $array_len ]; do + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" + else + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" + fi + let i++ + done + fi + +delete: + if [ -d /proc/sys/net/ipv6 ]; then + array=(`ls /proc/sys/net/ipv6/conf/`) + array_len=${#array[*]} + i=0 while [ $i -lt $array_len ]; do - sudo sh -c "echo 0 > \ - /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" - let i++ + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" + let i++ done + fi diff --git a/templates/firewall/ipv6-src-route/node.def b/templates/firewall/ipv6-src-route/node.def index be69afe..ec88393 100644 --- a/templates/firewall/ipv6-src-route/node.def +++ b/templates/firewall/ipv6-src-route/node.def @@ -1,10 +1,10 @@ -# accept_source_route - INTEGER +# accept_source_route - Text # Accept source routing (routing extension header). # -# >= 0: Accept only routing header type 2. -# < 0: Do not accept routing header. +# enable: Accept only routing header type 2. +# disable: Do not accept routing header. # -# Default: -1 +# Default: disable type: txt @@ -20,21 +20,24 @@ default: "disable" syntax:expression: $VAR(@) in "enable", "disable"; "ipv6-src-route must be enable or disable" update: - array=(`ls /proc/sys/net/ipv6/conf/`) - array_len=${#array[*]} - i=0 - while [ $i -lt $array_len ]; do - if [ x$VAR(@) == xenable ]; then - sudo sh -c "echo 0 > \ - /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" - else - sudo sh -c "echo -1 > \ - /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" - fi - let i++ - done + if [ -d /proc/sys/net/ipv6 ]; then + array=(`ls /proc/sys/net/ipv6/conf/`) + array_len=${#array[*]} + i=0 + while [ $i -lt $array_len ]; do + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" + else + sudo sh -c "echo -1 > \ + /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" + fi + let i++ + done + fi delete: + if [ -d /proc/sys/net/ipv6 ]; then array=(`ls /proc/sys/net/ipv6/conf/`) array_len=${#array[*]} i=0 @@ -43,3 +46,4 @@ delete: /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" let i++ done + fi |