IPv6 marking support

2010-10-13 20:43:20 +00:00 · 2010-10-13 20:43:20 +00:00 · 2dc5d200f8
parent aa881a3a69
commit 2dc5d200f8
4 changed files with 41 additions and 13 deletions
--- a/1
+++ b/1
@ -4,6 +4,7 @@
 	- Non-conntracked DNS reply packets allow options
 	- Slightly improved IPv6 support to start to bring
 	  it up to par with IPv4 support.Ã
+	- ipv6 marking support, changed ipv4 to use | instead of :

 0.9.8a - Brielle Bruns <bruns@2mbit.com>
 	- Fixing executable file permission issues
--- a/bin/firewall-sosdg
+++ b/bin/firewall-sosdg
@ -497,7 +497,7 @@ fi
 if [ -r "$IPv4_MARK" ]; then
 	display_c YELLOW "Adding mark: "
 	for i in `grep -v "\#" $IPv4_MARK`; do
-		MARK=( ${i//:/ } )
+		MARK=( ${i//|/ } )
 		INIF=${MARK[0]}
 		INIP=${MARK[1]}
 		DSTIP=${MARK[2]}
@ -762,9 +762,35 @@ fi
 	fi
 	fi
 	
-	if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
-		display_c YELLOW "Loading custom IPv6 conntrack rules..."
-		. "$BASEDIR/include/ipv6_custom_conntrack"
+	if [ -s "$BASEDIR/include/ipv6_custom_mark" ]; then
+		display_c YELLOW "Loading custom IPv6 mark rules..."
+		. "$BASEDIR/include/ipv6_custom_mark"
+	fi
+
+	if [ -r "$IPv6_MARK" ]; then
+		display_c YELLOW "Adding IPv6 mark: "
+		for i in `grep -v "\#" $IPv6_MARK`; do
+			MARK=( ${i//|/ } )
+			INIF=${MARK[0]}
+			INIP=${MARK[1]}
+			DSTIP=${MARK[2]}
+			IPMARK=${MARK[3]}
+
+			case $INIP in
+				!*) INNEG="!"
+					INIP=${INIP#\!};;
+			esac
+			case $DSTIP in
+				!*) DSTNEG="!"
+					DSTIP=${DSTIP#\!};;
+			esac
+
+			${IP6TABLES} -t mangle -A PREROUTING -i ${INIF} ${INNEG} -s ${INIP} \
+   			     ${DSTNEG} -d ${DSTIP} -j MARK --set-mark=${IPMARK}
+			display_c DEFAULT "\t${GREEN}${INNEG}${INIF};${PURPLE}${INIP}${AQUA}->${BLUE}${DSTNEG}${DSTIP};${RED}${IPMARK}"
+			unset INNEG DSTNEG
+		done
+	echo -ne "\n"
 	fi
 	
 	if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
--- a/ipv4-marks.default
+++ b/ipv4-marks.default
@ -1,6 +1,6 @@
 # IPv4 Packet Marking
 # Used to mark packets for specific routing (or other) purposes
-# incoming-interface:src-range:dst-range:mark-num
+# incoming-interface|src-range|dst-range|mark-num
 # Use ! before IP/range to negate
-# eth0:192.168.0.0/24:192.168.1.0/24:5
+# eth0|192.168.0.0/24|192.168.1.0/24|5
 # ORDER MATTERS!
--- a/options.default
+++ b/options.default
@ -72,10 +72,10 @@ TRUSTEDIP="127.0.0.1"
 DONTTRACK="127.0.0.1"

 # IP range(s) to forward
-ROUTING=$BASEDIR/ipv4-routing
+#ROUTING=$BASEDIR/ipv4-routing

 # Mark ipv4 packets for advanced purposes
-IPv4_MARK=$BASEDIR/ipv4-marks
+#IPv4_MARK=$BASEDIR/ipv4-marks

 # Hacks to either block specific kinds of attacks or fix problems
 #
@ -126,10 +126,8 @@ STRIPECN="0.0.0.0/0"
 # IPv6 related items
 IPV6=1

-# IPv6 Forwarding
+# Do we want IPv6 FORWARD and Connection tracking features?
 #IPV6FORWARD=1
-
-# Do IPv6 connection tracking?
 #IPV6CONNTRACK=1

 # Allow outgoing DNS requests - important if you did not activate connection
@ -144,6 +142,9 @@ IPV6BLOCKINCOMING=1
 # Useful if clients do not have proper ipv6 firewalls.
 #IPV6ROUTEDCLIENTBLOCK=1

+# Mark ipv6 packets for advanced purposes
+#IPv6_MARK=$BASEDIR/ipv6-marks
+
 # IPv6 Ranges to block all traffic incoming/outgoing
 #BLOCKEDIPV6=$BASEDIR/ipv6-blocked