ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

CSF does not add UID based IPv6 rules

https://mail.forum.configserver.com/viewtopic.php?t=12819

Page 1 of 1

CSF does not add UID based IPv6 rules

Posted: 16 May 2023, 08:39
by fln
Adding the following rules to /etc/csf/csf.allow:

Code: Select all

tcp|out|u=0
udp|out|u=0
Adds the following rules to iptables:

Code: Select all

# iptables-save | grep 'ALLOWOUT .*uid-owner'
-A ALLOWOUT ! -o lo -p udp -m owner --uid-owner 0 -j ACCEPT
-A ALLOWOUT ! -o lo -p tcp -m owner --uid-owner 0 -j ACCEPT
But does not add the same rules to ip6tables:

Code: Select all

# ip6tables-save | grep 'ALLOWOUT .*uid-owner'
There is no other way to express that we want UID based rules to be applied to IPv6 as well.

The problem could be fixed by patching main csf script to add UID based rules via ip6tables as well:

Code: Select all

# diff -u /usr/sbin/csf.orig /usr/sbin/csf
--- /usr/sbin/csf.orig	2023-04-18 12:02:42.000000000 +0200
+++ /usr/sbin/csf	2023-05-11 15:41:10.674793278 +0200
@@ -3663,11 +3663,20 @@
 			} else {
 				if ($chain) {
 					&syscommand(__LINE__,"$iptables $config{IPTABLESWAIT} $verbose -A $chainout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+					if ($config{IPV6}) {
+						&syscommand(__LINE__,"$config{IP6TABLES} $config{IPTABLESWAIT} $verbose -A $chainout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+					}
 				} else {
 					if ($delete) {
 						&syscommand(__LINE__,"$iptables $config{IPTABLESWAIT} $verbose -D $localout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+						if ($config{IPV6}) {
+							&syscommand(__LINE__,"$config{IP6TABLES} $config{IPTABLESWAIT} $verbose -D $localout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+						}
 					} else {
 						&syscommand(__LINE__,"$iptables $config{IPTABLESWAIT} $verbose $inadd $localout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+						if ($config{IPV6}) {
+							&syscommand(__LINE__,"$config{IP6TABLES} $config{IPTABLESWAIT} $verbose $inadd $localout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+						}
 					}
 				}
 			}
This issue causes some problems (and different IPv4/IPv6 behaviour) on dual-stack servers. Would it be possible to fix this issue?

Re: CSF does not add UID based IPv6 rules

Posted: 16 May 2023, 11:44
by nsc
+1
We had those issues with ipv6 connectivity as well.
Thanks for the patch!
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited