From b50f5f2cbc68c35aede11d79d5ec6f5833da5eb7 Mon Sep 17 00:00:00 2001
From: Bob Gilligan <gilligan@vyatta.com>
Date: Mon, 13 Apr 2009 15:14:33 -0700
Subject: Add conntrack and post firewall hooks for IPv6.

---
 scripts/firewall/firewall.init.in | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in
index e084fcf..f3b20b6 100644
--- a/scripts/firewall/firewall.init.in
+++ b/scripts/firewall/firewall.init.in
@@ -48,20 +48,27 @@ start () {
 	modprobe --syslog $mod
     done
 
-    # set up notrack chains/rules
+    # set up notrack chains/rules for IPv4
     # by default, nothing is tracked.
     iptables -t raw -A PREROUTING -j NOTRACK
     iptables -t raw -A OUTPUT -j NOTRACK
+
+    # set up notrack chains/rules for IPv6
+    ip6tables -t raw -A PREROUTING -j NOTRACK
+    ip6tables -t raw -A OUTPUT -j NOTRACK
     
-    # set up post-firewall hook
+    # set up post-firewall hook for IPv4
     iptables -N VYATTA_POST_FW_HOOK
     iptables -A VYATTA_POST_FW_HOOK -j ACCEPT
-
-    # enforce strict host matching (see bug 4061)
     iptables -A INPUT -j VYATTA_POST_FW_HOOK
-
     iptables -A FORWARD -j VYATTA_POST_FW_HOOK
 
+    # set up post-firewall hook for IPv6
+    ip6tables -N VYATTA_POST_FW_HOOK
+    ip6tables -A VYATTA_POST_FW_HOOK -j ACCEPT
+    ip6tables -A INPUT -j VYATTA_POST_FW_HOOK
+    ip6tables -A FORWARD -j VYATTA_POST_FW_HOOK
+
     # set up pre-SNAT hook
     iptables -t nat -N VYATTA_PRE_SNAT_HOOK
     iptables -t nat -A VYATTA_PRE_SNAT_HOOK -j RETURN
-- 
cgit v1.2.3