diff --git a/server/fw_util.h b/server/fw_util.h index 01bc20dd..e3231e57 100644 --- a/server/fw_util.h +++ b/server/fw_util.h @@ -39,6 +39,7 @@ #define EXPIRE_COMMENT_PREFIX "_exp_" #define TMP_COMMENT "__TMPCOMMENT__" #define DUMMY_IP "127.0.0.2" +#define DUMMY_IPV6 "::2" #if FIREWALL_FIREWALLD #include "fw_util_firewalld.h" diff --git a/server/fw_util_iptables.c b/server/fw_util_iptables.c index a703e917..8cb0d595 100644 --- a/server/fw_util_iptables.c +++ b/server/fw_util_iptables.c @@ -67,7 +67,8 @@ rule_exists_no_chk_support(const fko_srv_options_t * const opts, const unsigned int port, const char * const natip, const unsigned int nat_port, - const unsigned int exp_ts) + const unsigned int exp_ts, + int ipv6) { int rule_exists=0; char ipt_line_buf[CMD_BUFSIZE] = {0}; @@ -92,7 +93,7 @@ rule_exists_no_chk_support(const fko_srv_options_t * const opts, #endif snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS, - opts->fw_config->fw_command, + ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command, fwc->table, fwc->to_chain ); @@ -175,18 +176,18 @@ rule_exists_no_chk_support(const fko_srv_options_t * const opts, if(rule_exists) log_msg(LOG_DEBUG, "rule_exists_no_chk_support() %s %u -> %s expires: %u rule already exists", - proto_search, port, srcip, exp_ts); + proto_search, port, srcip, exp_ts, ipv6); else log_msg(LOG_DEBUG, "rule_exists_no_chk_support() %s %u -> %s expires: %u rule does not exist", - proto_search, port, srcip, exp_ts); + proto_search, port, srcip, exp_ts, ipv6); return(rule_exists); } static int rule_exists_chk_support(const fko_srv_options_t * const opts, - const char * const chain, const char * const rule) + const char * const chain, const char * const rule, int ipv6) { int rule_exists = 0; int res = 0; @@ -194,7 +195,8 @@ rule_exists_chk_support(const fko_srv_options_t * const opts, zero_cmd_buffers(); snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_CHK_RULE_ARGS, - opts->fw_config->fw_command, chain, rule); + ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command, + chain, rule); res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, WANT_STDERR, NO_TIMEOUT, &pid_status, opts); @@ -231,16 +233,17 @@ rule_exists(const fko_srv_options_t * const opts, const unsigned int port, const char * const nat_ip, const unsigned int nat_port, - const unsigned int exp_ts) + const unsigned int exp_ts, + int ipv6) { int rule_exists = 0; if(have_ipt_chk_support == 1) - rule_exists = rule_exists_chk_support(opts, fwc->to_chain, rule); + rule_exists = rule_exists_chk_support(opts, fwc->to_chain, rule, ipv6); else rule_exists = rule_exists_no_chk_support(opts, fwc, proto, srcip, (opts->fw_config->use_destination ? dstip : NULL), port, - nat_ip, nat_port, exp_ts); + nat_ip, nat_port, exp_ts, ipv6); if(rule_exists == 1) log_msg(LOG_DEBUG, "rule_exists() Rule : '%s' in %s already exists", @@ -253,7 +256,7 @@ rule_exists(const fko_srv_options_t * const opts, } static void -ipt_chk_support(const fko_srv_options_t * const opts) +ipt_chk_support(const fko_srv_options_t * const opts, int ipv6) { int res = 1; struct fw_chain *in_chain = &(opts->fw_config->chain[IPT_INPUT_ACCESS]); @@ -265,10 +268,11 @@ ipt_chk_support(const fko_srv_options_t * const opts) * delete the rule, and return. */ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_TMP_CHK_RULE_ARGS, - opts->fw_config->fw_command, + ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, 1, /* first rule */ + ipv6 ? DUMMY_IPV6 : DUMMY_IP, in_chain->target ); @@ -284,9 +288,10 @@ ipt_chk_support(const fko_srv_options_t * const opts) /* Now see if '-C' works - any output indicates failure */ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_TMP_VERIFY_CHK_ARGS, - opts->fw_config->fw_command, + ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, + ipv6 ? DUMMY_IPV6 : DUMMY_IP, in_chain->target ); @@ -313,7 +318,7 @@ ipt_chk_support(const fko_srv_options_t * const opts) zero_cmd_buffers(); snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_RULE_ARGS, - opts->fw_config->fw_command, + ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, 1 @@ -325,7 +330,7 @@ ipt_chk_support(const fko_srv_options_t * const opts) } static int -comment_match_exists(const fko_srv_options_t * const opts) +comment_match_exists(const fko_srv_options_t * const opts, int ipv6) { int res = 1; char *ndx = NULL; @@ -338,10 +343,11 @@ comment_match_exists(const fko_srv_options_t * const opts) * the rule and return true. */ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_TMP_COMMENT_ARGS, - opts->fw_config->fw_command, + ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, 1, /* first rule */ + ipv6 ? DUMMY_IPV6 : DUMMY_IP, in_chain->target ); @@ -355,7 +361,7 @@ comment_match_exists(const fko_srv_options_t * const opts) zero_cmd_buffers(); snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS, - opts->fw_config->fw_command, + ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command, in_chain->table, in_chain->from_chain ); @@ -381,7 +387,7 @@ comment_match_exists(const fko_srv_options_t * const opts) zero_cmd_buffers(); snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_RULE_ARGS, - opts->fw_config->fw_command, + ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, 1 @@ -394,14 +400,14 @@ comment_match_exists(const fko_srv_options_t * const opts) } static int -add_jump_rule(const fko_srv_options_t * const opts, const int chain_num) +add_jump_rule(const fko_srv_options_t * const opts, const int chain_num, int ipv6) { int res = 0, rv = 0; zero_cmd_buffers(); snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_JUMP_RULE_ARGS, - fwc.fw_command, + ipv6 ? fwc.fw_command6 : fwc.fw_command, fwc.chain[chain_num].table, fwc.chain[chain_num].from_chain, fwc.chain[chain_num].jump_rule_pos, @@ -429,14 +435,14 @@ add_jump_rule(const fko_srv_options_t * const opts, const int chain_num) } static int -chain_exists(const fko_srv_options_t * const opts, const int chain_num) +chain_exists(const fko_srv_options_t * const opts, const int chain_num, int ipv6) { int res = 0; zero_cmd_buffers(); snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_CHAIN_EXISTS_ARGS, - fwc.fw_command, + ipv6 ? fwc.fw_command6 : fwc.fw_command, fwc.chain[chain_num].table, fwc.chain[chain_num].to_chain ); @@ -460,7 +466,7 @@ chain_exists(const fko_srv_options_t * const opts, const int chain_num) } static int -jump_rule_exists_chk_support(const fko_srv_options_t * const opts, const int chain_num) +jump_rule_exists_chk_support(const fko_srv_options_t * const opts, const int chain_num, int ipv6) { int exists = 0; char rule_buf[CMD_BUFSIZE] = {0}; @@ -470,7 +476,7 @@ jump_rule_exists_chk_support(const fko_srv_options_t * const opts, const int cha fwc.chain[chain_num].to_chain ); - if(rule_exists_chk_support(opts, fwc.chain[chain_num].from_chain, rule_buf) == 1) + if(rule_exists_chk_support(opts, fwc.chain[chain_num].from_chain, rule_buf, ipv6) == 1) { log_msg(LOG_DEBUG, "jump_rule_exists_chk_support() jump rule found"); exists = 1; @@ -512,12 +518,12 @@ jump_rule_exists_no_chk_support(const fko_srv_options_t * const opts, } static int -jump_rule_exists(const fko_srv_options_t * const opts, const int chain_num) +jump_rule_exists(const fko_srv_options_t * const opts, const int chain_num, int ipv6) { int exists = 0; if(have_ipt_chk_support == 1) - exists = jump_rule_exists_chk_support(opts, chain_num); + exists = jump_rule_exists_chk_support(opts, chain_num, ipv6); else exists = jump_rule_exists_no_chk_support(opts, chain_num); @@ -568,7 +574,7 @@ fw_dump_rules(const fko_srv_options_t * const opts) } } - /* the same with IPv6 */ + /* the same with IPv6 */ for(i=0; i < NUM_FWKNOP_ACCESS_TYPES; i++) { if(fwc.chain[i].target[0] == '\0') @@ -636,7 +642,7 @@ fw_dump_rules(const fko_srv_options_t * const opts) } } - /* the same with IPv6 */ + /* the same with IPv6 */ for(i=0; i < NUM_FWKNOP_ACCESS_TYPES; i++) { if(fwc.chain[i].target[0] == '\0') @@ -677,7 +683,7 @@ fw_dump_rules(const fko_srv_options_t * const opts) /* Quietly flush and delete all fwknop custom chains. */ static void -delete_all_chains(const fko_srv_options_t * const opts) +delete_all_chains(const fko_srv_options_t * const opts, int ipv6) { int i, res, cmd_ctr = 0; @@ -690,7 +696,7 @@ delete_all_chains(const fko_srv_options_t * const opts) * is there. */ cmd_ctr = 0; - while(cmd_ctr < CMD_LOOP_TRIES && (jump_rule_exists(opts, i) == 1)) + while(cmd_ctr < CMD_LOOP_TRIES && (jump_rule_exists(opts, i, ipv6) == 1)) { zero_cmd_buffers(); @@ -828,7 +834,7 @@ delete_all_chains(const fko_srv_options_t * const opts) } static int -create_chain(const fko_srv_options_t * const opts, const int chain_num) +create_chain(const fko_srv_options_t * const opts, const int chain_num, int ipv6) { int res = 0, rv = 0; @@ -837,7 +843,7 @@ create_chain(const fko_srv_options_t * const opts, const int chain_num) /* Create the custom chain. */ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_NEW_CHAIN_ARGS, - fwc.fw_command, + ipv6 ? fwc.fw_command6 : fwc.fw_command, fwc.chain[chain_num].table, fwc.chain[chain_num].to_chain ); @@ -860,18 +866,18 @@ create_chain(const fko_srv_options_t * const opts, const int chain_num) } static int -mk_chain(const fko_srv_options_t * const opts, const int chain_num) +mk_chain(const fko_srv_options_t * const opts, const int chain_num, int ipv6) { int err = 0; /* Make sure the required chain and jump rule exist */ - if(! chain_exists(opts, chain_num)) - if(! create_chain(opts, chain_num)) + if(! chain_exists(opts, chain_num, ipv6)) + if(! create_chain(opts, chain_num, ipv6)) err++; - if (! jump_rule_exists(opts, chain_num)) - if(! add_jump_rule(opts, chain_num)) + if (! jump_rule_exists(opts, chain_num, ipv6)) + if(! add_jump_rule(opts, chain_num, ipv6)) err++; return err; @@ -880,7 +886,7 @@ mk_chain(const fko_srv_options_t * const opts, const int chain_num) /* Create the fwknop custom chains (at least those that are configured). */ static int -create_fw_chains(const fko_srv_options_t * const opts) +create_fw_chains(const fko_srv_options_t * const opts, int ipv6) { int i, got_err = 0; #if USE_LIBNETFILTER_QUEUE @@ -892,7 +898,7 @@ create_fw_chains(const fko_srv_options_t * const opts) if(fwc.chain[i].target[0] == '\0') continue; - got_err += mk_chain(opts, i); + got_err += mk_chain(opts, i, ipv6); } #if USE_LIBNETFILTER_QUEUE @@ -903,7 +909,7 @@ create_fw_chains(const fko_srv_options_t * const opts) /* Create the NF_QUEUE chains and rules */ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_NEW_CHAIN_ARGS, - fwc.fw_command, + ipv6 ? fwc.fw_command6 : fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN] ); @@ -926,7 +932,7 @@ create_fw_chains(const fko_srv_options_t * const opts) /* Create the rule to direct traffic to the NFQ chain. */ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_JUMP_RULE_ARGS, - fwc.fw_command, + ipv6 ? fwc.fw_command6 : fwc.fw_command, opts->config[CONF_NFQ_TABLE], "INPUT", 1, @@ -966,7 +972,7 @@ create_fw_chains(const fko_srv_options_t * const opts) else { snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_NFQ_ADD_ARGS, - fwc.fw_command, + ipv6 ? fwc.fw_command6 : fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN], opts->config[CONF_NFQ_PORT], @@ -1166,16 +1172,22 @@ fw_initialize(const fko_srv_options_t * const opts) if(opts->ipt_disable_check_support) have_ipt_chk_support = 0; else - ipt_chk_support(opts); + { + ipt_chk_support(opts, 0); + ipt_chk_support(opts, 1); + } /* Flush the chains (just in case) so we can start fresh. */ if(strncasecmp(opts->config[CONF_FLUSH_IPT_AT_INIT], "Y", 1) == 0) - delete_all_chains(opts); + { + delete_all_chains(opts, 0); + delete_all_chains(opts, 1); + } /* Now create any configured chains. */ - if(create_fw_chains(opts) != 0) + if(create_fw_chains(opts, 0) != 0 || create_fw_chains(opts, 1) != 0) { log_msg(LOG_WARNING, "fw_initialize() Warning: Errors detected during fwknop custom chain creation"); @@ -1186,7 +1198,7 @@ fw_initialize(const fko_srv_options_t * const opts) */ if(strncasecmp(opts->config[CONF_ENABLE_IPT_COMMENT_CHECK], "Y", 1) == 0) { - if(comment_match_exists(opts) == 1) + if(comment_match_exists(opts, 0) == 1 && comment_match_exists(opts, 1) == 1) { log_msg(LOG_INFO, "iptables 'comment' match is available"); } @@ -1207,13 +1219,14 @@ fw_cleanup(const fko_srv_options_t * const opts) && opts->fw_flush == 0) return(0); - delete_all_chains(opts); + delete_all_chains(opts, 0); + delete_all_chains(opts, 1); return(0); } static int create_rule(const fko_srv_options_t * const opts, - const char * const fw_chain, const char * const fw_rule) + const char * const fw_chain, const char * const fw_rule, int ipv6) { int res = 0; @@ -1221,10 +1234,12 @@ create_rule(const fko_srv_options_t * const opts, if (strncasecmp(opts->config[CONF_ENABLE_RULE_PREPEND], "Y", 1) == 0) { snprintf(cmd_buf, CMD_BUFSIZE-1, "%s -I %s %s", - opts->fw_config->fw_command, fw_chain, fw_rule); + ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command, + fw_chain, fw_rule); } else { snprintf(cmd_buf, CMD_BUFSIZE-1, "%s -A %s %s", - opts->fw_config->fw_command, fw_chain, fw_rule); + ipv6 ? opts->fw_config->fw_command6 : opts->fw_config->fw_command, + fw_chain, fw_rule); } res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, WANT_STDERR, NO_TIMEOUT, &pid_status, opts); @@ -1260,7 +1275,8 @@ ipt_rule(const fko_srv_options_t * const opts, const unsigned int exp_ts, const time_t now, const char * const msg, - const char * const access_msg) + const char * const access_msg, + int ipv6) { char rule_buf[CMD_BUFSIZE] = {0}; @@ -1285,12 +1301,12 @@ ipt_rule(const fko_srv_options_t * const opts, /* Check to make sure that the chain and jump rule exist */ - mk_chain(opts, chain->type); + mk_chain(opts, chain->type, ipv6); if(rule_exists(opts, chain, rule_buf, proto, srcip, - dstip, port, nat_ip, nat_port, exp_ts) == 0) + dstip, port, nat_ip, nat_port, exp_ts, ipv6) == 0) { - if(create_rule(opts, chain->to_chain, rule_buf)) + if(create_rule(opts, chain->to_chain, rule_buf, ipv6)) { log_msg(LOG_INFO, "Added %s rule to %s for %s -> %s %s, expires at %u", msg, chain->to_chain, srcip, (dstip == NULL) ? IPT_ANY_IP : dstip, @@ -1319,7 +1335,8 @@ static void forward_access_rule(const fko_srv_options_t * const opts, const unsigned int fst_port, spa_data_t * const spadat, const unsigned int exp_ts, - const time_t now) + const time_t now, + int ipv6) { char rule_buf[CMD_BUFSIZE] = {0}; @@ -1342,7 +1359,7 @@ static void forward_access_rule(const fko_srv_options_t * const opts, */ ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip, NULL, ANY_PROTO, ANY_PORT, NULL, NAT_ANY_PORT, - fwd_chain, exp_ts, now, "FORWARD ALL", "*/*"); + fwd_chain, exp_ts, now, "FORWARD ALL", "*/*", ipv6); } else { @@ -1358,7 +1375,7 @@ static void forward_access_rule(const fko_srv_options_t * const opts, */ ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip, NULL, fst_proto, nat_port, NULL, NAT_ANY_PORT, - fwd_chain, exp_ts, now, "FORWARD", spadat->spa_message_remain); + fwd_chain, exp_ts, now, "FORWARD", spadat->spa_message_remain, ipv6); } return; } @@ -1372,7 +1389,8 @@ static void dnat_rule(const fko_srv_options_t * const opts, const unsigned int fst_port, spa_data_t * const spadat, const unsigned int exp_ts, - const time_t now) + const time_t now, + int ipv6) { char rule_buf[CMD_BUFSIZE] = {0}; @@ -1396,7 +1414,7 @@ static void dnat_rule(const fko_srv_options_t * const opts, */ ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip, NULL, ANY_PROTO, ANY_PORT, NULL, NAT_ANY_PORT, - dnat_chain, exp_ts, now, "DNAT ALL", "*/*"); + dnat_chain, exp_ts, now, "DNAT ALL", "*/*", ipv6); } else { @@ -1417,7 +1435,7 @@ static void dnat_rule(const fko_srv_options_t * const opts, ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip, (fwc.use_destination ? spadat->pkt_destination_ip : IPT_ANY_IP), fst_proto, fst_port, nat_ip, nat_port, dnat_chain, exp_ts, now, - "DNAT", spadat->spa_message_remain); + "DNAT", spadat->spa_message_remain, ipv6); } return; } @@ -1430,7 +1448,8 @@ static void snat_rule(const fko_srv_options_t * const opts, const unsigned int fst_port, spa_data_t * const spadat, const unsigned int exp_ts, - const time_t now) + const time_t now, + int ipv6) { char rule_buf[CMD_BUFSIZE] = {0}; char snat_target[SNAT_TARGET_BUFSIZE] = {0}; @@ -1478,7 +1497,7 @@ static void snat_rule(const fko_srv_options_t * const opts, ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip, NULL, ANY_PROTO, ANY_PORT, NULL, NAT_ANY_PORT, - snat_chain, exp_ts, now, "SNAT ALL", "*/*"); + snat_chain, exp_ts, now, "SNAT ALL", "*/*", ipv6); } else { @@ -1529,7 +1548,7 @@ static void snat_rule(const fko_srv_options_t * const opts, ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip, NULL, fst_proto, nat_port, nat_ip, nat_port, snat_chain, exp_ts, now, "SNAT", - spadat->spa_message_remain); + spadat->spa_message_remain, ipv6); } return; } @@ -1563,6 +1582,8 @@ process_spa_request(const fko_srv_options_t * const opts, time_t now; unsigned int exp_ts; + int ipv6 = 0; + /* Parse and expand our access message. */ if(expand_acc_port_list(&port_list, spadat->spa_message_remain) != 1) @@ -1610,7 +1631,7 @@ process_spa_request(const fko_srv_options_t * const opts, if((ndx != NULL) && (str_len <= MAX_HOSTNAME_LEN)) { strlcpy(nat_dst, spadat->nat_access, str_len+1); - if(! is_valid_ip_addr(nat_dst, str_len, AF_INET)) + if(! is_valid_ip_addr(nat_dst, str_len, ipv6 ? AF_INET6 : AF_INET)) { if(strncasecmp(opts->config[CONF_ENABLE_NAT_DNS], "Y", 1) == 0) { @@ -1668,27 +1689,27 @@ process_spa_request(const fko_srv_options_t * const opts, ipt_rule(opts, NULL, IPT_RULE_ARGS, spadat->use_src_ip, (fwc.use_destination ? spadat->pkt_destination_ip : IPT_ANY_IP), fst_proto, nat_port, nat_ip, nat_port, in_chain, exp_ts, - now, "local NAT", spadat->spa_message_remain); + now, "local NAT", spadat->spa_message_remain, ipv6); } else if(strlen(fwd_chain->to_chain)) { /* FORWARD access rule */ forward_access_rule(opts, acc, fwd_chain, nat_ip, - nat_port, fst_proto, fst_port, spadat, exp_ts, now); + nat_port, fst_proto, fst_port, spadat, exp_ts, now, ipv6); } /* DNAT rule */ if(strlen(dnat_chain->to_chain) && !acc->disable_dnat) dnat_rule(opts, acc, dnat_chain, nat_ip, - nat_port, fst_proto, fst_port, spadat, exp_ts, now); + nat_port, fst_proto, fst_port, spadat, exp_ts, now, ipv6); /* SNAT rule */ if(acc->force_snat || strncasecmp(opts->config[CONF_ENABLE_IPT_SNAT], "Y", 1) == 0) snat_rule(opts, acc, nat_ip, nat_port, - fst_proto, fst_port, spadat, exp_ts, now); + fst_proto, fst_port, spadat, exp_ts, now, ipv6); } else /* Non-NAT request - this is the typical case. */ { @@ -1699,7 +1720,7 @@ process_spa_request(const fko_srv_options_t * const opts, ipt_rule(opts, NULL, IPT_RULE_ARGS, spadat->use_src_ip, (fwc.use_destination ? spadat->pkt_destination_ip : IPT_ANY_IP), ple->proto, ple->port, NULL, NAT_ANY_PORT, - in_chain, exp_ts, now, "access", spadat->spa_message_remain); + in_chain, exp_ts, now, "access", spadat->spa_message_remain, ipv6); /* We need to make a corresponding OUTPUT rule if out_chain target * is not NULL. @@ -1709,7 +1730,7 @@ process_spa_request(const fko_srv_options_t * const opts, ipt_rule(opts, NULL, IPT_OUT_RULE_ARGS, spadat->use_src_ip, (fwc.use_destination ? spadat->pkt_destination_ip : IPT_ANY_IP), ple->proto, ple->port, NULL, NAT_ANY_PORT, - out_chain, exp_ts, now, "OUTPUT", spadat->spa_message_remain); + out_chain, exp_ts, now, "OUTPUT", spadat->spa_message_remain, ipv6); } ple = ple->next; } diff --git a/server/fw_util_iptables.h b/server/fw_util_iptables.h index 9869f6e7..dc2680c0 100644 --- a/server/fw_util_iptables.h +++ b/server/fw_util_iptables.h @@ -49,9 +49,9 @@ #define IPT_DNAT_ALL_RULE_ARGS "-t %s -s %s -d %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s" SH_REDIR #define IPT_SNAT_RULE_ARGS "-t %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s" SH_REDIR #define IPT_SNAT_ALL_RULE_ARGS "-t %s -s %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s" SH_REDIR -#define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s " DUMMY_IP " -m comment --comment " TMP_COMMENT " -j %s" SH_REDIR -#define IPT_TMP_CHK_RULE_ARGS "-t %s -I %s %i -s " DUMMY_IP " -p udp -j %s" SH_REDIR -#define IPT_TMP_VERIFY_CHK_ARGS "-t %s -C %s -s " DUMMY_IP " -p udp -j %s" SH_REDIR +#define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s %s -m comment --comment " TMP_COMMENT " -j %s" SH_REDIR +#define IPT_TMP_CHK_RULE_ARGS "-t %s -I %s %i -s %s -p udp -j %s" SH_REDIR +#define IPT_TMP_VERIFY_CHK_ARGS "-t %s -C %s -s %s -p udp -j %s" SH_REDIR #define IPT_DEL_RULE_ARGS "-t %s -D %s %i" SH_REDIR #define IPT_NEW_CHAIN_ARGS "-t %s -N %s" SH_REDIR #define IPT_FLUSH_CHAIN_ARGS "-t %s -F %s" SH_REDIR