From 319d670437622a84a5af5266c2f5e18c08b03e12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Thu, 6 May 2010 21:36:01 +0300
Subject: [PATCH] Initial support for ipv6 firewall in linux iptables.

---
 firewall/manifests/init.pp       | 23 ++++++++++++++++++++++-
 firewall/templates/ip6tables.erb | 26 ++++++++++++++++++++++++++
 firewall/templates/iptables.erb  | 14 ++++++++++----
 3 files changed, 58 insertions(+), 5 deletions(-)
 create mode 100644 firewall/templates/ip6tables.erb

diff --git a/firewall/manifests/init.pp b/firewall/manifests/init.pp
index 18c334c..f1aa96b 100644
--- a/firewall/manifests/init.pp
+++ b/firewall/manifests/init.pp
@@ -72,7 +72,7 @@ class firewall::custom {
 #
 class firewall::common::iptables {
 
-    package { [ "iptables" ]:
+    package { [ "iptables", "iptables-ipv6" ]:
 	ensure => installed,
     }
 
@@ -85,6 +85,15 @@ class firewall::common::iptables {
 	notify  => Service["iptables"],
     }
 
+    file { "/etc/sysconfig/ip6tables":
+        ensure  => present,
+        mode    => 0600,
+        owner   => root,
+        group   => root,
+        require => Package["iptables-ipv6"],
+        notify  => Service["ip6tables"],
+    }
+    
     service { "iptables":
 	ensure     => running,
 	enable     => true,
@@ -93,6 +102,14 @@ class firewall::common::iptables {
 	require    => Package["iptables"],
     }
 
+    service { "ip6tables":
+	ensure     => running,
+	enable     => true,
+	hasstatus  => true,
+	hasrestart => true,
+	require    => Package["iptables-ipv6"],
+    }
+
 }
 
 
@@ -104,6 +121,10 @@ class firewall::iptables inherits firewall::common::iptables {
 	content => template("firewall/iptables.erb"),
     }
 
+    File["/etc/sysconfig/ip6tables"] {
+        content => template("firewall/ip6tables.erb"),
+    }
+    
 }
 
 
diff --git a/firewall/templates/ip6tables.erb b/firewall/templates/ip6tables.erb
new file mode 100644
index 0000000..7639e44
--- /dev/null
+++ b/firewall/templates/ip6tables.erb
@@ -0,0 +1,26 @@
+<% require 'ipaddr' -%>
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m ipv6header --header ah -j ACCEPT
+-A INPUT -m ipv6header --header esp -j ACCEPT
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+<%
+  firewall_rules.each do |rule|
+    rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
+    if not rule[3] or IPAddr.new(rule[3].strip()).ipv6?
+-%>
+-A INPUT<% if rule[1] == "tcp" %> -m state --state NEW<% end %> -m <%= rule[1] %> -p <%= rule[1] %><% if rule[3] %> -s<%= rule[3] %><% end %> --dport <%= rule[2] %> -j ACCEPT
+<%
+    end
+  end
+  firewall_custom.each do |rule|
+-%>
+<%= rule %>
+<% end -%>
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
diff --git a/firewall/templates/iptables.erb b/firewall/templates/iptables.erb
index 7c10abc..d5f3cb8 100644
--- a/firewall/templates/iptables.erb
+++ b/firewall/templates/iptables.erb
@@ -7,11 +7,17 @@
 -A INPUT -p esp -j ACCEPT
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p icmp --icmp-type any -j ACCEPT
-<% firewall_rules.each do |rule| -%>
-<%   rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule) -%>
+<%
+  firewall_rules.each do |rule|
+    rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
+    if not rule[3] or IPAddr.new(rule[3].strip()).ipv4?
+-%>
 -A INPUT<% if rule[1] == "tcp" %> -m state --state NEW<% end %> -m <%= rule[1] %> -p <%= rule[1] %><% if rule[3] %> -s<%= rule[3] %><% end %> --dport <%= rule[2] %> -j ACCEPT
-<% end -%>
-<% firewall_custom.each do |rule| -%>
+<%
+    end
+  end
+  firewall_custom.each do |rule|
+-%>
 <%= rule %>
 <% end -%>
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset