diff options
| -rw-r--r-- | scripts/firewall/firewall.init.in | 23 | ||||
| -rw-r--r-- | templates/firewall/ipv6-receive-redirects/node.def | 42 | ||||
| -rw-r--r-- | templates/firewall/ipv6-src-route/node.def | 38 |
3 files changed, 58 insertions, 45 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in index ea60955..c3a0115 100644 --- a/scripts/firewall/firewall.init.in +++ b/scripts/firewall/firewall.init.in @@ -44,6 +44,7 @@ declare -a modules=( ## setup firewall & nat conntrack modules start () { + for mod in ${modules[@]} ; do modprobe --syslog $mod done @@ -53,9 +54,19 @@ start () { iptables -t raw -A PREROUTING -j NOTRACK iptables -t raw -A OUTPUT -j NOTRACK - # set up notrack chains/rules for IPv6 - ip6tables -t raw -A PREROUTING -j NOTRACK - ip6tables -t raw -A OUTPUT -j NOTRACK + if [ -d /proc/sys/net/ipv6 ] ; then + # set up notrack chains/rules for IPv6 + ip6tables -t raw -A PREROUTING -j NOTRACK + ip6tables -t raw -A OUTPUT -j NOTRACK + + # set up post-firewall hook for IPv6 + ip6tables -N VYATTA_POST_FW_HOOK + ip6tables -A VYATTA_POST_FW_HOOK -j ACCEPT + ip6tables -A INPUT -j VYATTA_POST_FW_HOOK + ip6tables -A FORWARD -j VYATTA_POST_FW_HOOK + else + logger -t "Vyatta firewall init" -p warning "Kernel IPv6 support disabled. Not initializing IPv6 firewall" + fi # set up post-firewall hook for IPv4 iptables -N VYATTA_POST_FW_HOOK @@ -63,12 +74,6 @@ start () { iptables -A INPUT -j VYATTA_POST_FW_HOOK iptables -A FORWARD -j VYATTA_POST_FW_HOOK - # set up post-firewall hook for IPv6 - ip6tables -N VYATTA_POST_FW_HOOK - ip6tables -A VYATTA_POST_FW_HOOK -j ACCEPT - ip6tables -A INPUT -j VYATTA_POST_FW_HOOK - ip6tables -A FORWARD -j VYATTA_POST_FW_HOOK - # set up pre-SNAT hook iptables -t nat -N VYATTA_PRE_SNAT_HOOK iptables -t nat -A VYATTA_PRE_SNAT_HOOK -j RETURN diff --git a/templates/firewall/ipv6-receive-redirects/node.def b/templates/firewall/ipv6-receive-redirects/node.def index 5ca9e49..a7bd2c8 100644 --- a/templates/firewall/ipv6-receive-redirects/node.def +++ b/templates/firewall/ipv6-receive-redirects/node.def @@ -15,26 +15,30 @@ default: "disable" syntax:expression: $VAR(@) in "enable", "disable"; "icmpv6-receive-redirects must be enable or disable" update: - array=(`ls /proc/sys/net/ipv6/conf/`) - array_len=${#array[*]} - i=0 - while [ $i -lt $array_len ]; do - if [ x$VAR(@) == xenable ]; then - sudo sh -c "echo 1 > \ - /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" - else - sudo sh -c "echo 0 > \ - /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" - fi - let i++ - done - -delete: + if [ -d /proc/sys/net/ipv6 ]; then array=(`ls /proc/sys/net/ipv6/conf/`) array_len=${#array[*]} - i=0 + i=0 + while [ $i -lt $array_len ]; do + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" + else + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" + fi + let i++ + done + fi + +delete: + if [ -d /proc/sys/net/ipv6 ]; then + array=(`ls /proc/sys/net/ipv6/conf/`) + array_len=${#array[*]} + i=0 while [ $i -lt $array_len ]; do - sudo sh -c "echo 0 > \ - /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" - let i++ + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" + let i++ done + fi diff --git a/templates/firewall/ipv6-src-route/node.def b/templates/firewall/ipv6-src-route/node.def index be69afe..ec88393 100644 --- a/templates/firewall/ipv6-src-route/node.def +++ b/templates/firewall/ipv6-src-route/node.def @@ -1,10 +1,10 @@ -# accept_source_route - INTEGER +# accept_source_route - Text # Accept source routing (routing extension header). # -# >= 0: Accept only routing header type 2. -# < 0: Do not accept routing header. +# enable: Accept only routing header type 2. +# disable: Do not accept routing header. # -# Default: -1 +# Default: disable type: txt @@ -20,21 +20,24 @@ default: "disable" syntax:expression: $VAR(@) in "enable", "disable"; "ipv6-src-route must be enable or disable" update: - array=(`ls /proc/sys/net/ipv6/conf/`) - array_len=${#array[*]} - i=0 - while [ $i -lt $array_len ]; do - if [ x$VAR(@) == xenable ]; then - sudo sh -c "echo 0 > \ - /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" - else - sudo sh -c "echo -1 > \ - /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" - fi - let i++ - done + if [ -d /proc/sys/net/ipv6 ]; then + array=(`ls /proc/sys/net/ipv6/conf/`) + array_len=${#array[*]} + i=0 + while [ $i -lt $array_len ]; do + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" + else + sudo sh -c "echo -1 > \ + /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" + fi + let i++ + done + fi delete: + if [ -d /proc/sys/net/ipv6 ]; then array=(`ls /proc/sys/net/ipv6/conf/`) array_len=${#array[*]} i=0 @@ -43,3 +46,4 @@ delete: /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" let i++ done + fi |