From 2dc5d200f8d07c742bffaee839db57cb8bb543c1 Mon Sep 17 00:00:00 2001 From: bbruns Date: Wed, 13 Oct 2010 20:43:20 +0000 Subject: [PATCH] IPv6 marking support --- ChangeLog | 1 + bin/firewall-sosdg | 36 +++++++++++++++++++++++++++++++----- ipv4-marks.default | 6 +++--- options.default | 11 ++++++----- 4 files changed, 41 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7b61c0a..2b4b4d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,7 @@ - Non-conntracked DNS reply packets allow options - Slightly improved IPv6 support to start to bring it up to par with IPv4 support.Ã + - ipv6 marking support, changed ipv4 to use | instead of : 0.9.8a - Brielle Bruns - Fixing executable file permission issues diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index f825a1f..fbfb5d1 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -497,7 +497,7 @@ fi if [ -r "$IPv4_MARK" ]; then display_c YELLOW "Adding mark: " for i in `grep -v "\#" $IPv4_MARK`; do - MARK=( ${i//:/ } ) + MARK=( ${i//|/ } ) INIF=${MARK[0]} INIP=${MARK[1]} DSTIP=${MARK[2]} @@ -761,12 +761,38 @@ fi reset_color fi fi - - if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then - display_c YELLOW "Loading custom IPv6 conntrack rules..." - . "$BASEDIR/include/ipv6_custom_conntrack" + + if [ -s "$BASEDIR/include/ipv6_custom_mark" ]; then + display_c YELLOW "Loading custom IPv6 mark rules..." + . "$BASEDIR/include/ipv6_custom_mark" fi + if [ -r "$IPv6_MARK" ]; then + display_c YELLOW "Adding IPv6 mark: " + for i in `grep -v "\#" $IPv6_MARK`; do + MARK=( ${i//|/ } ) + INIF=${MARK[0]} + INIP=${MARK[1]} + DSTIP=${MARK[2]} + IPMARK=${MARK[3]} + + case $INIP in + !*) INNEG="!" + INIP=${INIP#\!};; + esac + case $DSTIP in + !*) DSTNEG="!" + DSTIP=${DSTIP#\!};; + esac + + ${IP6TABLES} -t mangle -A PREROUTING -i ${INIF} ${INNEG} -s ${INIP} \ + ${DSTNEG} -d ${DSTIP} -j MARK --set-mark=${IPMARK} + display_c DEFAULT "\t${GREEN}${INNEG}${INIF};${PURPLE}${INIP}${AQUA}->${BLUE}${DSTNEG}${DSTIP};${RED}${IPMARK}" + unset INNEG DSTNEG + done + echo -ne "\n" + fi + if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then display_c YELLOW "Loading custom IPv6 conntrack rules..." . "$BASEDIR/include/ipv6_custom_conntrack" diff --git a/ipv4-marks.default b/ipv4-marks.default index f22b322..3781bd8 100644 --- a/ipv4-marks.default +++ b/ipv4-marks.default @@ -1,6 +1,6 @@ # IPv4 Packet Marking # Used to mark packets for specific routing (or other) purposes -# incoming-interface:src-range:dst-range:mark-num +# incoming-interface|src-range|dst-range|mark-num # Use ! before IP/range to negate -# eth0:192.168.0.0/24:192.168.1.0/24:5 -# ORDER MATTERS! \ No newline at end of file +# eth0|192.168.0.0/24|192.168.1.0/24|5 +# ORDER MATTERS! diff --git a/options.default b/options.default index b69df76..d755ff6 100755 --- a/options.default +++ b/options.default @@ -72,10 +72,10 @@ TRUSTEDIP="127.0.0.1" DONTTRACK="127.0.0.1" # IP range(s) to forward -ROUTING=$BASEDIR/ipv4-routing +#ROUTING=$BASEDIR/ipv4-routing # Mark ipv4 packets for advanced purposes -IPv4_MARK=$BASEDIR/ipv4-marks +#IPv4_MARK=$BASEDIR/ipv4-marks # Hacks to either block specific kinds of attacks or fix problems # @@ -126,10 +126,8 @@ STRIPECN="0.0.0.0/0" # IPv6 related items IPV6=1 -# IPv6 Forwarding +# Do we want IPv6 FORWARD and Connection tracking features? #IPV6FORWARD=1 - -# Do IPv6 connection tracking? #IPV6CONNTRACK=1 # Allow outgoing DNS requests - important if you did not activate connection @@ -144,6 +142,9 @@ IPV6BLOCKINCOMING=1 # Useful if clients do not have proper ipv6 firewalls. #IPV6ROUTEDCLIENTBLOCK=1 +# Mark ipv6 packets for advanced purposes +#IPv6_MARK=$BASEDIR/ipv6-marks + # IPv6 Ranges to block all traffic incoming/outgoing #BLOCKEDIPV6=$BASEDIR/ipv6-blocked