Page 1 of 1

Patch for Tunneled IPv6

Posted: 20 Aug 2012, 21:03
by user4473
Hi,

I use CSF Firewall on multiple generic boxes/networks (without cPanel) and I think it's great! It saves so much time and hassle. I even use it on the router for my home LAN. Many thanks to the Dev's.

Unfortunately some of the networks I'm on do not yet have native IPv6, so instead I use a tunnel service like Hurricane Electric tunnelbroker. Using a tunnel adds an additional interface to the machine (sit0, tun0, user-defined label). The problem is in the way that CSF generates the rules, it assumes that all v6 traffic is going natively through the ETH_DEVICE (eth+) interfaces. Rules such as this do not apply to the tunnel interface, and causes tunneled IPv6 to not work.

I suggest to add a config option IPV6_TUNNEL_DEVICE where the user can manually set the name of the tunnel interface.
I have created an unofficial patch against the current version 5.60 that implements this functionality.


csf.conf

Code: Select all

# User defined IPv6 Tunnel interface (e.g. sit0, tun0, or user defined label)
# Leave empty if using native IPv6
IPV6_TUNNEL_DEVICE="hetunnel"
csf.patch

Code: Select all

--- a/csf-dot-pl	2012-08-20 09:00:29.000000000 -0500
+++ b/csf-dot-pl	2012-08-20 14:36:49.218025364 -0500
@@ -18,7 +18,7 @@ use Socket;
 
 our (%input, %config, $verbose, $version, %ips, %ifaces, %messengerports,
      $logmodule, $noowner, %sanity, %sanitydefault, $warning, $accept,
-	 $ipscidr, $ipv6reg, $ipv4reg, $nonat, $ethdevin, $ethdevout, $ipscidr6);
+	 $ipscidr, $ipv6reg, $ipv4reg, $nonat, $ethdevin, $ethdevout, $ipv6ethdevout, $ipv6ethdevin, $ipscidr6);
 
 $version = &version;
 $ipscidr6 = Net::CIDR::Lite->new;
@@ -585,8 +585,8 @@ sub dostart {
 	if ($config{IPV6}) {
 		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I INPUT  -i lo -j $accept");
 		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT -o lo -j $accept");
-		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -j LOGDROPOUT");
-		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -j LOGDROPIN");
+		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -j LOGDROPOUT");
+		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -j LOGDROPIN");
 	}
 
 	unless ($config{DNS_STRICT}) {
@@ -595,10 +595,10 @@ sub dostart {
 		&syscommand(__LINE__,"$config{IPTABLES} $verbose -I OUTPUT $ethdevout -p udp --dport 53 -j $accept");
 		&syscommand(__LINE__,"$config{IPTABLES} $verbose -I OUTPUT $ethdevout -p tcp --dport 53 -j $accept");
 		if ($config{IPV6}) {
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -p udp --sport 53 -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -p tcp --sport 53 -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -p udp --dport 53 -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -p tcp --dport 53 -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -p udp --sport 53 -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -p tcp --sport 53 -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -p udp --dport 53 -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -p tcp --dport 53 -j $accept");
 		}
 	}
 
@@ -657,8 +657,8 @@ sub dostart {
 	&syscommand(__LINE__,"$config{IPTABLES} $verbose -I OUTPUT $skipout $ethdevout -j LOCALOUTPUT");
 	&syscommand(__LINE__,"$config{IPTABLES} $verbose -I INPUT $skipin $ethdevin -j LOCALINPUT");
 	if ($config{IPV6}) {
-		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -j LOCALOUTPUT");
-		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I INPUT $ethdevin -j LOCALINPUT");
+		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -j LOCALOUTPUT");
+		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I INPUT $ipv6ethdevin -j LOCALINPUT");
 	}
 
 	$config{ETH_DEVICE_SKIP} =~ s/\s//g;
@@ -1141,8 +1141,8 @@ sub dopacketfilters {
 		&syscommand(__LINE__,"$config{IPTABLES} $verbose -I OUTPUT $ethdevout -p tcp -j INVALID");
 		if ($config{IPV6} and $config{IPV6_SPI}) {
 			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INVDROP -j $config{DROP}");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I INPUT $ethdevin -p tcp -j INVALID");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -p tcp -j INVALID");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I INPUT $ipv6ethdevin -p tcp -j INVALID");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -p tcp -j INVALID");
 		}
 	}
 }
@@ -1182,8 +1182,8 @@ sub doportfilters {
 		&syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOCALINPUT $ethdevin -j GDENYIN");
 		&syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOCALOUTPUT $ethdevout -j GDENYOUT");
 		if ($config{IPV6}) {
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOCALINPUT $ethdevin -j GDENYIN");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOCALOUTPUT $ethdevout -j GDENYOUT");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOCALINPUT $ipv6ethdevin -j GDENYIN");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOCALOUTPUT $ipv6ethdevout -j GDENYOUT");
 		}
 	}
 
@@ -1318,8 +1318,8 @@ sub doportfilters {
 		&syscommand(__LINE__,"$config{IPTABLES} $verbose -I LOCALINPUT $ethdevin -j GALLOWIN");
 		&syscommand(__LINE__,"$config{IPTABLES} $verbose -I LOCALOUTPUT $ethdevout -j GALLOWOUT");
 		if ($config{IPV6}) {
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I LOCALINPUT $ethdevin -j GALLOWIN");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I LOCALOUTPUT $ethdevout -j GALLOWOUT");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I LOCALINPUT $ipv6ethdevin -j GALLOWIN");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I LOCALOUTPUT $ipv6ethdevout -j GALLOWOUT");
 		}
 	}
 
@@ -1570,8 +1570,8 @@ sub doportfilters {
 	&syscommand(__LINE__,"$config{IPTABLES} $verbose -A INPUT $ethdevin -m state --state ESTABLISHED,RELATED -j $accept");
 	&syscommand(__LINE__,"$config{IPTABLES} $verbose -A OUTPUT $ethdevout -m state --state ESTABLISHED,RELATED -j $accept");
 	if ($config{IPV6} and $config{IPV6_SPI}) {
-		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -m state --state ESTABLISHED,RELATED -j $accept");
-		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -m state --state ESTABLISHED,RELATED -j $accept");
+		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -m state --state ESTABLISHED,RELATED -j $accept");
+		&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -m state --state ESTABLISHED,RELATED -j $accept");
 	}
 
 	$config{PORTKNOCKING} =~ s/\s//g;
@@ -1618,9 +1618,9 @@ sub doportfilters {
 			if ($port eq "") {next}
 			if ($port !~ /^[\d:]*$/) {&error(__LINE__,"Invalid TCP6_IN port [$port]")}
 			if ($config{IPV6_SPI}) {
-				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p tcp -m state --state NEW --dport $port -j $accept");
+				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p tcp -m state --state NEW --dport $port -j $accept");
 			} else {
-				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p tcp --dport $port -j $accept");
+				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p tcp --dport $port -j $accept");
 			}
 		}
 	}
@@ -1639,9 +1639,9 @@ sub doportfilters {
 			if ($port eq "") {next}
 			if ($port !~ /^[\d:]*$/) {&error(__LINE__,"Invalid TCP6_OUT port [$port]")}
 			if ($config{IPV6_SPI}) {
-				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p tcp -m state --state NEW --dport $port -j $accept");
+				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -p tcp -m state --state NEW --dport $port -j $accept");
 			} else {
-				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p tcp --dport $port -j $accept");
+				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -p tcp --dport $port -j $accept");
 			}
 		}
 	}
@@ -1660,9 +1660,9 @@ sub doportfilters {
 			if ($port eq "") {next}
 			if ($port !~ /^[\d:]*$/) {&error(__LINE__,"Invalid UDP6_IN port [$port]")}
 			if ($config{IPV6_SPI}) {
-				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p udp -m state --state NEW --dport $port -j $accept");
+				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p udp -m state --state NEW --dport $port -j $accept");
 			} else {
-				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p udp --dport $port -j $accept");
+				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p udp --dport $port -j $accept");
 			}
 		}
 	}
@@ -1681,9 +1681,9 @@ sub doportfilters {
 			if ($port eq "") {next}
 			if ($port !~ /^[\d:]*$/) {&error(__LINE__,"Invalid UDP6_OUT port [$port]")}
 			if ($config{IPV6_SPI}) {
-				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p udp -m state --state NEW --dport $port -j $accept");
+				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -p udp -m state --state NEW --dport $port -j $accept");
 			} else {
-				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p udp --dport $port -j $accept");
+				&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -p udp --dport $port -j $accept");
 			}
 		}
 	}
@@ -1715,21 +1715,21 @@ sub doportfilters {
 
 	if ($config{IPV6}) {
 		if ($config{IPV6_ICMP_STRICT}) {
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ethdevin -p icmpv6 --icmpv6-type destination-unreachable -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ethdevin -p icmpv6 --icmpv6-type packet-too-big -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ethdevin -p icmpv6 --icmpv6-type time-exceeded -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ethdevin -p icmpv6 --icmpv6-type parameter-problem -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ethdevin -p icmpv6 --icmpv6-type echo-request -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ethdevin -p icmpv6 --icmpv6-type echo-reply -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ethdevin -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ethdevin -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ethdevin -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j $accept");
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ethdevin -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type destination-unreachable -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type packet-too-big -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type time-exceeded -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type parameter-problem -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type echo-request -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type echo-reply -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j $accept");
 		} else {
-			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ethdevin -p icmpv6 -j $accept");
+			&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A INPUT $ipv6ethdevin -p icmpv6 -j $accept");
 		}
 
-		&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A OUTPUT $ethdevout -p icmpv6 -j $accept");
+		&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A OUTPUT $ipv6ethdevout -p icmpv6 -j $accept");
 #		&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A OUTPUT $ethdevout -p icmpv6 --icmpv6-type destination-unreachable -j $accept");
 #		&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A OUTPUT $ethdevout -p icmpv6 --icmpv6-type packet-too-big -j $accept");
 #		&syscommand(__LINE__,"$config{IP6TABLES} $verbose  -A OUTPUT $ethdevout -p icmpv6 --icmpv6-type time-exceeded -j $accept");
@@ -2007,6 +2007,13 @@ sub getethdev {
 		$ethdevin = "-i $config{ETH_DEVICE}";
 		$ethdevout = "-o $config{ETH_DEVICE}";
 	}
+	if ($config{IPV6} && $config{IPV6_TUNNEL_DEVICE}) {
+		$ipv6ethdevin = "-i $config{IPV6_TUNNEL_DEVICE}";
+		$ipv6ethdevout = "-o $config{IPV6_TUNNEL_DEVICE}";
+	} else {
+		$ipv6ethdevin = $ethdevin;
+		$ipv6ethdevout = $ethdevout;
+	}
 
 	if ($config{ETH_DEVICE} =~ /\+$/) {return}

Re: Patch for Tunneled IPv6

Posted: 08 Oct 2012, 09:43
by chirpy
We'll look at having a separate setting for ipv6 interfaces in the future.