DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Add preliminary support for IPv6 with iptables

Browse Source
This commit is contained in:
Pierre Pronchery 2018-08-08 17:07:03 +02:00
parent 81e2255912
commit fa664db600
3 changed files with 94 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
server/fw_util.h
View File

@ -39,6 +39,7 @@
#define EXPIRE_COMMENT_PREFIX "_exp_"
#define TMP_COMMENT "__TMPCOMMENT__"
#define DUMMY_IP "127.0.0.2"
#define DUMMY_IPV6 "::2"
#if FIREWALL_FIREWALLD
#include "fw_util_firewalld.h"

159
server/fw_util_iptables.c
View File

@ -67,7 +67,8 @@ rule_exists_no_chk_support(const fko_srv_options_t * const opts,
const unsigned int port,
const char * const natip,
const unsigned int nat_port,
const unsigned int exp_ts)
const unsigned int exp_ts,
int ipv6)
{
int rule_exists=0;
char ipt_line_buf[CMD_BUFSIZE] = {0};
@ -92,7 +93,7 @@ rule_exists_no_chk_support(const fko_srv_options_t * const opts,
#endif
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS,
opts->fw_config->fw_command,
ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command,
fwc->table,
fwc->to_chain
);
@ -175,18 +176,18 @@ rule_exists_no_chk_support(const fko_srv_options_t * const opts,
if(rule_exists)
log_msg(LOG_DEBUG,
"rule_exists_no_chk_support() %s %u -> %s expires: %u rule already exists",
proto_search, port, srcip, exp_ts);
proto_search, port, srcip, exp_ts, ipv6);
else
log_msg(LOG_DEBUG,
"rule_exists_no_chk_support() %s %u -> %s expires: %u rule does not exist",
proto_search, port, srcip, exp_ts);
proto_search, port, srcip, exp_ts, ipv6);
return(rule_exists);
}
static int
rule_exists_chk_support(const fko_srv_options_t * const opts,
const char * const chain, const char * const rule)
const char * const chain, const char * const rule, int ipv6)
{
int rule_exists = 0;
int res = 0;
@ -194,7 +195,8 @@ rule_exists_chk_support(const fko_srv_options_t * const opts,
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_CHK_RULE_ARGS,
opts->fw_config->fw_command, chain, rule);
ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command,
chain, rule);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE,
WANT_STDERR, NO_TIMEOUT, &pid_status, opts);
@ -231,16 +233,17 @@ rule_exists(const fko_srv_options_t * const opts,
const unsigned int port,
const char * const nat_ip,
const unsigned int nat_port,
const unsigned int exp_ts)
const unsigned int exp_ts,
int ipv6)
{
int rule_exists = 0;
if(have_ipt_chk_support == 1)
rule_exists = rule_exists_chk_support(opts, fwc->to_chain, rule);
rule_exists = rule_exists_chk_support(opts, fwc->to_chain, rule, ipv6);
else
rule_exists = rule_exists_no_chk_support(opts, fwc, proto, srcip,
(opts->fw_config->use_destination ? dstip : NULL), port,
nat_ip, nat_port, exp_ts);
nat_ip, nat_port, exp_ts, ipv6);
if(rule_exists == 1)
log_msg(LOG_DEBUG, "rule_exists() Rule : '%s' in %s already exists",
@ -253,7 +256,7 @@ rule_exists(const fko_srv_options_t * const opts,
}
static void
ipt_chk_support(const fko_srv_options_t * const opts)
ipt_chk_support(const fko_srv_options_t * const opts, int ipv6)
{
int res = 1;
struct fw_chain *in_chain = &(opts->fw_config->chain[IPT_INPUT_ACCESS]);
@ -265,10 +268,11 @@ ipt_chk_support(const fko_srv_options_t * const opts)
* delete the rule, and return.
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_TMP_CHK_RULE_ARGS,
opts->fw_config->fw_command,
ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command,
in_chain->table,
in_chain->from_chain,
1, /* first rule */
ipv6 ? DUMMY_IPV6 : DUMMY_IP,
in_chain->target
);
@ -284,9 +288,10 @@ ipt_chk_support(const fko_srv_options_t * const opts)
/* Now see if '-C' works - any output indicates failure
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_TMP_VERIFY_CHK_ARGS,
opts->fw_config->fw_command,
ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command,
in_chain->table,
in_chain->from_chain,
ipv6 ? DUMMY_IPV6 : DUMMY_IP,
in_chain->target
);
@ -313,7 +318,7 @@ ipt_chk_support(const fko_srv_options_t * const opts)
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_RULE_ARGS,
opts->fw_config->fw_command,
ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command,
in_chain->table,
in_chain->from_chain,
1
@ -325,7 +330,7 @@ ipt_chk_support(const fko_srv_options_t * const opts)
}
static int
comment_match_exists(const fko_srv_options_t * const opts)
comment_match_exists(const fko_srv_options_t * const opts, int ipv6)
{
int res = 1;
char *ndx = NULL;
@ -338,10 +343,11 @@ comment_match_exists(const fko_srv_options_t * const opts)
* the rule and return true.
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_TMP_COMMENT_ARGS,
opts->fw_config->fw_command,
ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command,
in_chain->table,
in_chain->from_chain,
1, /* first rule */
ipv6 ? DUMMY_IPV6 : DUMMY_IP,
in_chain->target
);
@ -355,7 +361,7 @@ comment_match_exists(const fko_srv_options_t * const opts)
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS,
opts->fw_config->fw_command,
ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command,
in_chain->table,
in_chain->from_chain
);
@ -381,7 +387,7 @@ comment_match_exists(const fko_srv_options_t * const opts)
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_RULE_ARGS,
opts->fw_config->fw_command,
ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command,
in_chain->table,
in_chain->from_chain,
1
@ -394,14 +400,14 @@ comment_match_exists(const fko_srv_options_t * const opts)
}
static int
add_jump_rule(const fko_srv_options_t * const opts, const int chain_num)
add_jump_rule(const fko_srv_options_t * const opts, const int chain_num, int ipv6)
{
int res = 0, rv = 0;
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_JUMP_RULE_ARGS,
fwc.fw_command,
ipv6 ? fwc.fw_command6 : fwc.fw_command,
fwc.chain[chain_num].table,
fwc.chain[chain_num].from_chain,
fwc.chain[chain_num].jump_rule_pos,
@ -429,14 +435,14 @@ add_jump_rule(const fko_srv_options_t * const opts, const int chain_num)
}
static int
chain_exists(const fko_srv_options_t * const opts, const int chain_num)
chain_exists(const fko_srv_options_t * const opts, const int chain_num, int ipv6)
{
int res = 0;
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_CHAIN_EXISTS_ARGS,
fwc.fw_command,
ipv6 ? fwc.fw_command6 : fwc.fw_command,
fwc.chain[chain_num].table,
fwc.chain[chain_num].to_chain
);
@ -460,7 +466,7 @@ chain_exists(const fko_srv_options_t * const opts, const int chain_num)
}
static int
jump_rule_exists_chk_support(const fko_srv_options_t * const opts, const int chain_num)
jump_rule_exists_chk_support(const fko_srv_options_t * const opts, const int chain_num, int ipv6)
{
int exists = 0;
char rule_buf[CMD_BUFSIZE] = {0};
@ -470,7 +476,7 @@ jump_rule_exists_chk_support(const fko_srv_options_t * const opts, const int cha
fwc.chain[chain_num].to_chain
);
if(rule_exists_chk_support(opts, fwc.chain[chain_num].from_chain, rule_buf) == 1)
if(rule_exists_chk_support(opts, fwc.chain[chain_num].from_chain, rule_buf, ipv6) == 1)
{
log_msg(LOG_DEBUG, "jump_rule_exists_chk_support() jump rule found");
exists = 1;
@ -512,12 +518,12 @@ jump_rule_exists_no_chk_support(const fko_srv_options_t * const opts,
}
static int
jump_rule_exists(const fko_srv_options_t * const opts, const int chain_num)
jump_rule_exists(const fko_srv_options_t * const opts, const int chain_num, int ipv6)
{
int exists = 0;
if(have_ipt_chk_support == 1)
exists = jump_rule_exists_chk_support(opts, chain_num);
exists = jump_rule_exists_chk_support(opts, chain_num, ipv6);
else
exists = jump_rule_exists_no_chk_support(opts, chain_num);
@ -568,7 +574,7 @@ fw_dump_rules(const fko_srv_options_t * const opts)
}
}
/* the same with IPv6 */
/* the same with IPv6 */
for(i=0; i < NUM_FWKNOP_ACCESS_TYPES; i++)
{
if(fwc.chain[i].target[0] == '\0')
@ -636,7 +642,7 @@ fw_dump_rules(const fko_srv_options_t * const opts)
}
}
/* the same with IPv6 */
/* the same with IPv6 */
for(i=0; i < NUM_FWKNOP_ACCESS_TYPES; i++)
{
if(fwc.chain[i].target[0] == '\0')
@ -677,7 +683,7 @@ fw_dump_rules(const fko_srv_options_t * const opts)
/* Quietly flush and delete all fwknop custom chains.
*/
static void
delete_all_chains(const fko_srv_options_t * const opts)
delete_all_chains(const fko_srv_options_t * const opts, int ipv6)
{
int i, res, cmd_ctr = 0;
@ -690,7 +696,7 @@ delete_all_chains(const fko_srv_options_t * const opts)
* is there.
*/
cmd_ctr = 0;
while(cmd_ctr < CMD_LOOP_TRIES && (jump_rule_exists(opts, i) == 1))
while(cmd_ctr < CMD_LOOP_TRIES && (jump_rule_exists(opts, i, ipv6) == 1))
{
zero_cmd_buffers();
@ -828,7 +834,7 @@ delete_all_chains(const fko_srv_options_t * const opts)
}
static int
create_chain(const fko_srv_options_t * const opts, const int chain_num)
create_chain(const fko_srv_options_t * const opts, const int chain_num, int ipv6)
{
int res = 0, rv = 0;
@ -837,7 +843,7 @@ create_chain(const fko_srv_options_t * const opts, const int chain_num)
/* Create the custom chain.
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_NEW_CHAIN_ARGS,
fwc.fw_command,
ipv6 ? fwc.fw_command6 : fwc.fw_command,
fwc.chain[chain_num].table,
fwc.chain[chain_num].to_chain
);
@ -860,18 +866,18 @@ create_chain(const fko_srv_options_t * const opts, const int chain_num)
}
static int
mk_chain(const fko_srv_options_t * const opts, const int chain_num)
mk_chain(const fko_srv_options_t * const opts, const int chain_num, int ipv6)
{
int err = 0;
/* Make sure the required chain and jump rule exist
*/
if(! chain_exists(opts, chain_num))
if(! create_chain(opts, chain_num))
if(! chain_exists(opts, chain_num, ipv6))
if(! create_chain(opts, chain_num, ipv6))
err++;
if (! jump_rule_exists(opts, chain_num))
if(! add_jump_rule(opts, chain_num))
if (! jump_rule_exists(opts, chain_num, ipv6))
if(! add_jump_rule(opts, chain_num, ipv6))
err++;
return err;
@ -880,7 +886,7 @@ mk_chain(const fko_srv_options_t * const opts, const int chain_num)
/* Create the fwknop custom chains (at least those that are configured).
*/
static int
create_fw_chains(const fko_srv_options_t * const opts)
create_fw_chains(const fko_srv_options_t * const opts, int ipv6)
{
int i, got_err = 0;
#if USE_LIBNETFILTER_QUEUE
@ -892,7 +898,7 @@ create_fw_chains(const fko_srv_options_t * const opts)
if(fwc.chain[i].target[0] == '\0')
continue;
got_err += mk_chain(opts, i);
got_err += mk_chain(opts, i, ipv6);
}
#if USE_LIBNETFILTER_QUEUE
@ -903,7 +909,7 @@ create_fw_chains(const fko_srv_options_t * const opts)
/* Create the NF_QUEUE chains and rules
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_NEW_CHAIN_ARGS,
fwc.fw_command,
ipv6 ? fwc.fw_command6 : fwc.fw_command,
opts->config[CONF_NFQ_TABLE],
opts->config[CONF_NFQ_CHAIN]
);
@ -926,7 +932,7 @@ create_fw_chains(const fko_srv_options_t * const opts)
/* Create the rule to direct traffic to the NFQ chain.
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_JUMP_RULE_ARGS,
fwc.fw_command,
ipv6 ? fwc.fw_command6 : fwc.fw_command,
opts->config[CONF_NFQ_TABLE],
"INPUT",
1,
@ -966,7 +972,7 @@ create_fw_chains(const fko_srv_options_t * const opts)
else
{
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_NFQ_ADD_ARGS,
fwc.fw_command,
ipv6 ? fwc.fw_command6 : fwc.fw_command,
opts->config[CONF_NFQ_TABLE],
opts->config[CONF_NFQ_CHAIN],
opts->config[CONF_NFQ_PORT],
@ -1166,16 +1172,22 @@ fw_initialize(const fko_srv_options_t * const opts)
if(opts->ipt_disable_check_support)
have_ipt_chk_support = 0;
else
ipt_chk_support(opts);
{
ipt_chk_support(opts, 0);
ipt_chk_support(opts, 1);
}
/* Flush the chains (just in case) so we can start fresh.
*/
if(strncasecmp(opts->config[CONF_FLUSH_IPT_AT_INIT], "Y", 1) == 0)
delete_all_chains(opts);
{
delete_all_chains(opts, 0);
delete_all_chains(opts, 1);
}
/* Now create any configured chains.
*/
if(create_fw_chains(opts) != 0)
if(create_fw_chains(opts, 0) != 0 || create_fw_chains(opts, 1) != 0)
{
log_msg(LOG_WARNING,
"fw_initialize() Warning: Errors detected during fwknop custom chain creation");
@ -1186,7 +1198,7 @@ fw_initialize(const fko_srv_options_t * const opts)
*/
if(strncasecmp(opts->config[CONF_ENABLE_IPT_COMMENT_CHECK], "Y", 1) == 0)
{
if(comment_match_exists(opts) == 1)
if(comment_match_exists(opts, 0) == 1 && comment_match_exists(opts, 1) == 1)
{
log_msg(LOG_INFO, "iptables 'comment' match is available");
}
@ -1207,13 +1219,14 @@ fw_cleanup(const fko_srv_options_t * const opts)
&& opts->fw_flush == 0)
return(0);
delete_all_chains(opts);
delete_all_chains(opts, 0);
delete_all_chains(opts, 1);
return(0);
}
static int
create_rule(const fko_srv_options_t * const opts,
const char * const fw_chain, const char * const fw_rule)
const char * const fw_chain, const char * const fw_rule, int ipv6)
{
int res = 0;
@ -1221,10 +1234,12 @@ create_rule(const fko_srv_options_t * const opts,
if (strncasecmp(opts->config[CONF_ENABLE_RULE_PREPEND], "Y", 1) == 0) {
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s -I %s %s",
opts->fw_config->fw_command, fw_chain, fw_rule);
ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command,
fw_chain, fw_rule);
} else {
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s -A %s %s",
opts->fw_config->fw_command, fw_chain, fw_rule);
ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command,
fw_chain, fw_rule);
}
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, WANT_STDERR,
NO_TIMEOUT, &pid_status, opts);
@ -1260,7 +1275,8 @@ ipt_rule(const fko_srv_options_t * const opts,
const unsigned int exp_ts,
const time_t now,
const char * const msg,
const char * const access_msg)
const char * const access_msg,
int ipv6)
{
char rule_buf[CMD_BUFSIZE] = {0};
@ -1285,12 +1301,12 @@ ipt_rule(const fko_srv_options_t * const opts,
/* Check to make sure that the chain and jump rule exist
*/
mk_chain(opts, chain->type);
mk_chain(opts, chain->type, ipv6);
if(rule_exists(opts, chain, rule_buf, proto, srcip,
dstip, port, nat_ip, nat_port, exp_ts) == 0)
dstip, port, nat_ip, nat_port, exp_ts, ipv6) == 0)
{
if(create_rule(opts, chain->to_chain, rule_buf))
if(create_rule(opts, chain->to_chain, rule_buf, ipv6))
{
log_msg(LOG_INFO, "Added %s rule to %s for %s -> %s %s, expires at %u",
msg, chain->to_chain, srcip, (dstip == NULL) ? IPT_ANY_IP : dstip,
@ -1319,7 +1335,8 @@ static void forward_access_rule(const fko_srv_options_t * const opts,
const unsigned int fst_port,
spa_data_t * const spadat,
const unsigned int exp_ts,
const time_t now)
const time_t now,
int ipv6)
{
char rule_buf[CMD_BUFSIZE] = {0};
@ -1342,7 +1359,7 @@ static void forward_access_rule(const fko_srv_options_t * const opts,
*/
ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip,
NULL, ANY_PROTO, ANY_PORT, NULL, NAT_ANY_PORT,
fwd_chain, exp_ts, now, "FORWARD ALL", "*/*");
fwd_chain, exp_ts, now, "FORWARD ALL", "*/*", ipv6);
}
else
{
@ -1358,7 +1375,7 @@ static void forward_access_rule(const fko_srv_options_t * const opts,
*/
ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip,
NULL, fst_proto, nat_port, NULL, NAT_ANY_PORT,
fwd_chain, exp_ts, now, "FORWARD", spadat->spa_message_remain);
fwd_chain, exp_ts, now, "FORWARD", spadat->spa_message_remain, ipv6);
}
return;
}
@ -1372,7 +1389,8 @@ static void dnat_rule(const fko_srv_options_t * const opts,
const unsigned int fst_port,
spa_data_t * const spadat,
const unsigned int exp_ts,
const time_t now)
const time_t now,
int ipv6)
{
char rule_buf[CMD_BUFSIZE] = {0};
@ -1396,7 +1414,7 @@ static void dnat_rule(const fko_srv_options_t * const opts,
*/
ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip,
NULL, ANY_PROTO, ANY_PORT, NULL, NAT_ANY_PORT,
dnat_chain, exp_ts, now, "DNAT ALL", "*/*");
dnat_chain, exp_ts, now, "DNAT ALL", "*/*", ipv6);
}
else
{
@ -1417,7 +1435,7 @@ static void dnat_rule(const fko_srv_options_t * const opts,
ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip,
(fwc.use_destination ? spadat->pkt_destination_ip : IPT_ANY_IP),
fst_proto, fst_port, nat_ip, nat_port, dnat_chain, exp_ts, now,
"DNAT", spadat->spa_message_remain);
"DNAT", spadat->spa_message_remain, ipv6);
}
return;
}
@ -1430,7 +1448,8 @@ static void snat_rule(const fko_srv_options_t * const opts,
const unsigned int fst_port,
spa_data_t * const spadat,
const unsigned int exp_ts,
const time_t now)
const time_t now,
int ipv6)
{
char rule_buf[CMD_BUFSIZE] = {0};
char snat_target[SNAT_TARGET_BUFSIZE] = {0};
@ -1478,7 +1497,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip,
NULL, ANY_PROTO, ANY_PORT, NULL, NAT_ANY_PORT,
snat_chain, exp_ts, now, "SNAT ALL", "*/*");
snat_chain, exp_ts, now, "SNAT ALL", "*/*", ipv6);
}
else
{
@ -1529,7 +1548,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip,
NULL, fst_proto, nat_port, nat_ip, nat_port,
snat_chain, exp_ts, now, "SNAT",
spadat->spa_message_remain);
spadat->spa_message_remain, ipv6);
}
return;
}
@ -1563,6 +1582,8 @@ process_spa_request(const fko_srv_options_t * const opts,
time_t now;
unsigned int exp_ts;
int ipv6 = 0;
/* Parse and expand our access message.
*/
if(expand_acc_port_list(&port_list, spadat->spa_message_remain) != 1)
@ -1610,7 +1631,7 @@ process_spa_request(const fko_srv_options_t * const opts,
if((ndx != NULL) && (str_len <= MAX_HOSTNAME_LEN))
{
strlcpy(nat_dst, spadat->nat_access, str_len+1);
if(! is_valid_ip_addr(nat_dst, str_len, AF_INET))
if(! is_valid_ip_addr(nat_dst, str_len, ipv6 ? AF_INET6 : AF_INET))
{
if(strncasecmp(opts->config[CONF_ENABLE_NAT_DNS], "Y", 1) == 0)
{
@ -1668,27 +1689,27 @@ process_spa_request(const fko_srv_options_t * const opts,
ipt_rule(opts, NULL, IPT_RULE_ARGS, spadat->use_src_ip,
(fwc.use_destination ? spadat->pkt_destination_ip : IPT_ANY_IP),
fst_proto, nat_port, nat_ip, nat_port, in_chain, exp_ts,
now, "local NAT", spadat->spa_message_remain);
now, "local NAT", spadat->spa_message_remain, ipv6);
}
else if(strlen(fwd_chain->to_chain))
{
/* FORWARD access rule
*/
forward_access_rule(opts, acc, fwd_chain, nat_ip,
nat_port, fst_proto, fst_port, spadat, exp_ts, now);
nat_port, fst_proto, fst_port, spadat, exp_ts, now, ipv6);
}
/* DNAT rule
*/
if(strlen(dnat_chain->to_chain) && !acc->disable_dnat)
dnat_rule(opts, acc, dnat_chain, nat_ip,
nat_port, fst_proto, fst_port, spadat, exp_ts, now);
nat_port, fst_proto, fst_port, spadat, exp_ts, now, ipv6);
/* SNAT rule
*/
if(acc->force_snat || strncasecmp(opts->config[CONF_ENABLE_IPT_SNAT], "Y", 1) == 0)
snat_rule(opts, acc, nat_ip, nat_port,
fst_proto, fst_port, spadat, exp_ts, now);
fst_proto, fst_port, spadat, exp_ts, now, ipv6);
}
else /* Non-NAT request - this is the typical case. */
{
@ -1699,7 +1720,7 @@ process_spa_request(const fko_srv_options_t * const opts,
ipt_rule(opts, NULL, IPT_RULE_ARGS, spadat->use_src_ip,
(fwc.use_destination ? spadat->pkt_destination_ip : IPT_ANY_IP),
ple->proto, ple->port, NULL, NAT_ANY_PORT,
in_chain, exp_ts, now, "access", spadat->spa_message_remain);
in_chain, exp_ts, now, "access", spadat->spa_message_remain, ipv6);
/* We need to make a corresponding OUTPUT rule if out_chain target
* is not NULL.
@ -1709,7 +1730,7 @@ process_spa_request(const fko_srv_options_t * const opts,
ipt_rule(opts, NULL, IPT_OUT_RULE_ARGS, spadat->use_src_ip,
(fwc.use_destination ? spadat->pkt_destination_ip : IPT_ANY_IP),
ple->proto, ple->port, NULL, NAT_ANY_PORT,
out_chain, exp_ts, now, "OUTPUT", spadat->spa_message_remain);
out_chain, exp_ts, now, "OUTPUT", spadat->spa_message_remain, ipv6);
}
ple = ple->next;
}

6
server/fw_util_iptables.h
View File

@ -49,9 +49,9 @@
#define IPT_DNAT_ALL_RULE_ARGS "-t %s -s %s -d %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s" SH_REDIR
#define IPT_SNAT_RULE_ARGS "-t %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s" SH_REDIR
#define IPT_SNAT_ALL_RULE_ARGS "-t %s -s %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s" SH_REDIR
#define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s " DUMMY_IP " -m comment --comment " TMP_COMMENT " -j %s" SH_REDIR
#define IPT_TMP_CHK_RULE_ARGS "-t %s -I %s %i -s " DUMMY_IP " -p udp -j %s" SH_REDIR
#define IPT_TMP_VERIFY_CHK_ARGS "-t %s -C %s -s " DUMMY_IP " -p udp -j %s" SH_REDIR
#define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s %s -m comment --comment " TMP_COMMENT " -j %s" SH_REDIR
#define IPT_TMP_CHK_RULE_ARGS "-t %s -I %s %i -s %s -p udp -j %s" SH_REDIR
#define IPT_TMP_VERIFY_CHK_ARGS "-t %s -C %s -s %s -p udp -j %s" SH_REDIR
#define IPT_DEL_RULE_ARGS "-t %s -D %s %i" SH_REDIR
#define IPT_NEW_CHAIN_ARGS "-t %s -N %s" SH_REDIR
#define IPT_FLUSH_CHAIN_ARGS "-t %s -F %s" SH_REDIR