IPv6 support improved

ChangeLog

@@ -1,6 +1,9 @@
 0.9.9  - Brielle Bruns <bruns@2mbit.com>
 	- Loadable module support during firewall loading
 	- More init script fixes.
+	- Non-conntracked DNS reply packets allow options
+	- Slightly improved IPv6 support to start to bring
+	  it up to par with IPv4 support.Ã
 
 0.9.8a - Brielle Bruns <bruns@2mbit.com>
 	- Fixing executable file permission issues

bin/firewall-sosdg

@@ -143,7 +143,6 @@ if [ "$DNS_REQUESTS_OUT" ]; then
 	display_c YELLOW "Adding DNS reply allows for trusted DNS servers.."
 	for i in $DNS_REQUESTS_OUT; do
 		if [[ "$i" =~ "|" ]]; then
-			echo "Original variable: ${DNS_REQUESTS_OUT}"
 			IFS_OLD=${IFS};IFS=\|
 			DNSREQ=($i)
 			IFS=${IFS_OLD}
@@ -599,6 +598,27 @@ if [ $IPV6 ]; then
 	. "$BASEDIR/include/ipv4_custom_blockip"
 fi
 
+if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
+	display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.."
+	for i in $DNS_REQUESTS_OUT; do
+		if [[ "$i" =~ "|" ]]; then
+			IFS_OLD=${IFS};IFS=\|
+			DNSREQ=($i)
+			IFS=${IFS_OLD}
+			SRCIF=${DNSREQ[0]}
+			DNSIP_NUM=${#DNSREQ[@]}
+			DNSIP_COUNT_CURR=1
+			for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do
+				if [ ${DNSREQ[$i]} ]; then
+					${IP6TABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT
+				fi
+			done			
+		else
+			${IP6TABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT
+		fi
+	done
+fi
+
 if [ "$BLOCKEDIPV6" ]; then
 	display_c YELLOW "Adding blocked IPv6 addresses... "
 	for i in `grep -v "\#" $BLOCKEDIPV6`; do
@@ -747,7 +767,12 @@ fi
 		. "$BASEDIR/include/ipv6_custom_conntrack"
 	fi
 
-	if [ $IPV6ROUTEDCLIENTBLOCK ]; then
+	if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
+		display_c YELLOW "Loading custom IPv6 conntrack rules..."
+		. "$BASEDIR/include/ipv6_custom_conntrack"
+	fi
+
+	if [ "$IPV6CONNTRACK" ]; then
 		$IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
 		$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 		$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
@@ -757,6 +782,9 @@ fi
 		$IP6TABLES -A INPUT -m state --state INVALID -j DROP
 		$IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
 		$IP6TABLES -A FORWARD -m state --state INVALID -j DROP
+	fi
+
+	if [ $IPV6ROUTEDCLIENTBLOCK ]; then
 		$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
 		$IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
 		$IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP

include/README

@@ -9,4 +9,4 @@ ipv4_custom_blockip	   ipv4_custom_mark
 
 ipv6_custom_flush          ipv6_custom_trust        ipv6_custom_mssclamp
 ipv6_custom_blockoutports  ipv6_custom_allowedports ipv6_custom_conntrack
-ipv6_custom_routing        ipv6_custom_blockincoming
+ipv6_custom_routing        ipv6_custom_blockincoming ipv6_custom_conntrack

options.default

@@ -54,7 +54,7 @@ IPTABLES_MULTIPORT=auto
 
 # Allow outgoing DNS requests - important if you did not activate connection
 # tracking.  Set this to the interfaces you wish to use for outgoing requests
-# plus the IP addresses of your upstream servers (up to 3) if you need to.
+# plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
 #DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1"
 
 # TCP/UDP/Protocol to allow
@@ -129,6 +129,14 @@ IPV6=1
 # IPv6 Forwarding
 #IPV6FORWARD=1
 
+# Do IPv6 connection tracking?
+#IPV6CONNTRACK=1
+
+# Allow outgoing DNS requests - important if you did not activate connection
+# tracking.  Set this to the interfaces you wish to use for outgoing requests
+# plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
+#IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1"
+
 # Default block all incoming ipv6 connections?
 IPV6BLOCKINCOMING=1