Initial support for ipv6 firewall in linux iptables.

2010-05-06 21:36:01 +03:00 · 2010-05-06 21:36:01 +03:00 · 319d670437
commit 319d670437
parent e07ce25ef2
3 changed files with 58 additions and 5 deletions
--- a/firewall/manifests/init.pp
+++ b/firewall/manifests/init.pp
@ -72,7 +72,7 @@ class firewall::custom {
 #
 class firewall::common::iptables {
-    package { [ "iptables" ]:
+    package { [ "iptables", "iptables-ipv6" ]:
 	ensure => installed,
    }
@ -85,6 +85,15 @@ class firewall::common::iptables {
 	notify  => Service["iptables"],
    }
    file { "/etc/sysconfig/ip6tables":
        ensure  => present,
        mode    => 0600,
        owner   => root,
        group   => root,
        require => Package["iptables-ipv6"],
        notify  => Service["ip6tables"],
    }
    service { "iptables":
 	ensure     => running,
 	enable     => true,
@ -93,6 +102,14 @@ class firewall::common::iptables {
 	require    => Package["iptables"],
    }
    service { "ip6tables":
 	ensure     => running,
 	enable     => true,
 	hasstatus  => true,
 	hasrestart => true,
 	require    => Package["iptables-ipv6"],
    }
 }
@ -104,6 +121,10 @@ class firewall::iptables inherits firewall::common::iptables {
 	content => template("firewall/iptables.erb"),
    }
    File["/etc/sysconfig/ip6tables"] {
        content => template("firewall/ip6tables.erb"),
    }
 }
--- a/firewall/templates/ip6tables.erb
+++ b/firewall/templates/ip6tables.erb
@ -0,0 +1,26 @@
 <% require 'ipaddr' -%>
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -i lo -j ACCEPT
 -A INPUT -m ipv6header --header ah -j ACCEPT
 -A INPUT -m ipv6header --header esp -j ACCEPT
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p ipv6-icmp -j ACCEPT
 <%
  firewall_rules.each do |rule|
    rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
    if not rule[3] or IPAddr.new(rule[3].strip()).ipv6?
 -%>
 -A INPUT<% if rule[1] == "tcp" %> -m state --state NEW<% end %> -m <%= rule[1] %> -p <%= rule[1] %><% if rule[3] %> -s<%= rule[3] %><% end %> --dport <%= rule[2] %> -j ACCEPT
 <%
    end
  end
  firewall_custom.each do |rule|
 -%>
 <%= rule %>
 <% end -%>
 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
 -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
 COMMIT
--- a/firewall/templates/iptables.erb
+++ b/firewall/templates/iptables.erb
@ -7,11 +7,17 @@
 -A INPUT -p esp -j ACCEPT
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p icmp --icmp-type any -j ACCEPT
-<% firewall_rules.each do |rule| -%>
+<%
-<%   rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule) -%>
+  firewall_rules.each do |rule|
    rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
    if not rule[3] or IPAddr.new(rule[3].strip()).ipv4?
 -%>
 -A INPUT<% if rule[1] == "tcp" %> -m state --state NEW<% end %> -m <%= rule[1] %> -p <%= rule[1] %><% if rule[3] %> -s<%= rule[3] %><% end %> --dport <%= rule[2] %> -j ACCEPT
-<% end -%>
+<%
-<% firewall_custom.each do |rule| -%>
+    end
  end
  firewall_custom.each do |rule|
 -%>
 <%= rule %>
 <% end -%>
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset