Hi, today I tried out the new IPv6 support in the new 4.2.4 and it seems to work well in most parts (although I didn't test it thoroughly yet). Nice work, and at the right time since we are starting to implement IPv6 here right now :-)
However, I found (and partially fixed) some minor problems with it. 1. "routestopped" doesn't work at all ------------------------------------- It looks as if the perl compiler doesn't yet correctly support IPv6 in the routestopped config file. I tried different syntaxes, with and without "<>" around the address. In the case with "<>" it complains about an invalid IPv6 address, in the other case it looks as if it tries to resolve the first part of the address (up to the first ":") as a hostname and complains that it can't find the host. I didn't dig deeper into this problem since it isn't critical for me at the moment. 2. "shorewall6 safe-*" doesn't work ----------------------------------- Due to some errors in lib.cli, the old ip6tables rules aren't saved in the first place when trying safe-start or safe-restart. These are fixed in the first attached patch (shorewall6-4.2.4-fixes.patch, against shorewall6 package). Also, after applying the fix, another problem surfaces. The "real" rules are correctly restored when answering "n" to the question, however the special "shorewall" chain is not restored, so shorewall6 thinks it isn't running from thereon, and a second "safe-restart" doesn't save the rules anymore (and subsequently runs "shorewall6 clear" when answering "n"). This is due to the compiler erroneously emitting "$IPTABLES_RESTORE" instead of "$IP6TABLES_RESTORE" into the restore script. This problem is fixed with the second patch (shorewall-perl-4.2.4-ipv6fixes.patch, against shorewall-perl package). Andreas -- Andreas Ferber | MarcanT Internet-Services GmbH Systemadministration | Ravensberger Str. 10G, D-33602 Bielefeld afer...@marcant.net | Geschaeftsfuehrer: Thorsten Hojas USt-ID Nr.: DE 190203238 | Handelsregister: Amtsgericht Bielefeld, HRB 35 827 ___________________________________________________________ CONFIDENTIALITY NOTICE The contents of this email are confidential to the ordinary user of the email address to which it was addressed and may also be privileged. If you are not the addressee of this email you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. If you have received this email in error please email the sender by replying to this message.
diff -urN shorewall6-4.2.4.orig/lib.cli shorewall6-4.2.4/lib.cli
--- shorewall6-4.2.4.orig/lib.cli 2008-12-31 13:44:20.000000000 +0100
+++ shorewall6-4.2.4/lib.cli 2008-12-31 14:09:23.000000000 +0100
@@ -253,9 +253,9 @@
iptables_save=${IP6TABLES}-save
- [ -x $iptables_save ] || echo "$ip6tables-save does not exist or is not
executable" >&2
+ [ -x $iptables_save ] || echo "$iptables_save does not exist or is not
executable" >&2
- if shorewall66_is_started ; then
+ if shorewall6_is_started ; then
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
@@ -268,10 +268,10 @@
*)
validate_restorefile RESTOREFILE
- if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
+ if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then
echo " Dynamic Rules Saved"
if [ -f ${VARDIR}/.restore ]; then
- if $iptables_save | iptablesbug >
${VARDIR}/restore-$$; then
+ if $iptables_save > ${VARDIR}/restore-$$; then
cp -f ${VARDIR}/.restore $RESTOREPATH
mv -f ${VARDIR}/restore-$$
${RESTOREPATH}-iptables
chmod +x $RESTOREPATH
@@ -755,8 +755,8 @@
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ] ; then
echo Restoring Ipsets...
- iptables -F
- iptables -X
+ $IP6TABLES -F
+ $IP6TABLES -X
$SHOREWALL_SHELL ${RESTOREPATH}-ipsets
fi
diff -urN shorewall-perl-4.2.4.orig/Shorewall/Compiler.pm
shorewall-perl-4.2.4/Shorewall/Compiler.pm
--- shorewall-perl-4.2.4.orig/Shorewall/Compiler.pm 2008-12-25
16:42:25.000000000 +0100
+++ shorewall-perl-4.2.4/Shorewall/Compiler.pm 2008-12-31 14:14:33.000000000
+0100
@@ -788,7 +788,17 @@
if [ $COMMAND = restore ]; then
iptables_save_file=${VARDIR}/$(basename $0)-iptables
if [ -f $iptables_save_file ]; then
+EOF
+ if ( $family == F_IPV4 ) {
+ emit<<'EOF';
cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical
form to appease SELinux
+EOF
+ } else {
+ emit<<'EOF';
+ cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical
form to appease SELinux
+EOF
+ }
+ emit<<'EOF';
else
fatal_error "$iptables_save_file does not exist"
fi
pgpulqUWvyrmr.pgp
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
