Bug #421
updown script fails to install firewall rules when protected protocol is ICMP[v6]
Description
It looks like ip6tables is not called correctly. From syslog:
updown: ip6tables v1.4.20: unknown option "--dport"
updown: Try `ip6tables -h' or 'ip6tables --help' for more information.
In my exec log (thanks to grsecurity I could capture where this happens):
ip6tables -D FORWARD -o eth0 -p 58 -s ADDRESS::/56 -d ADDRESS/128 --dport 128 -m policy --pol ipsec --pro
Protocol 58 is ICMPv6. This does indeed not support --dport.
I am not sure in which category this fits.
History
#1 Updated by drumfire _ almost 12 years ago
Greetings,
My tunnels are working suboptimal and I wonder if this has anything to do with it. I don't really understand how the script works though, is this not an important issue?
Thank you
#2 Updated by Tobias Brunner almost 12 years ago
- Status changed from New to Assigned
- Assignee set to Tobias Brunner
- Target version set to 5.1.1
A fix for this issue is on its way (check the icmp branch of the Git repository).
My tunnels are working suboptimal and I wonder if this has anything to do with it.
Whether this issue has anything to do with that probably depends on your strongSwan and firewall configuration.
I don't really understand how the script works though, is this not an important issue?
The script is called after a CHILD_SA is established, if leftfirewall is set to yes. That option is intended in situations where the default policies of the INPUT/OUTPUT/FORWARD chains are set to DROP (or traffic is otherwise blocked). The script then installs the required firewall rules that allow traffic from/to the established tunnels.
#3 Updated by Tobias Brunner almost 12 years ago
- Status changed from Assigned to Closed
- Resolution set to Fixed
I merged the branch into master.
#4 Updated by drumfire _ almost 12 years ago
Hello Tobias,
The script is called after a CHILD_SA is established, if leftfirewall is set to yes. That option is intended in situations where the default policies of the INPUT/OUTPUT/FORWARD chains are set to DROP (or traffic is otherwise blocked). The script then installs the required firewall rules that allow traffic from/to the established tunnels.
I do have a DROP policy in those chains so yes, chances are that there are some forwarding issues. We'll see whether this is the case.
Resolution set to Fixed
Very nice, thank you.
#5 Updated by Tobias Brunner almost 12 years ago
- Subject changed from Bug in IPv6 firewall script to updown script fails to install firewall rules when protected protocol is ICMP[v6]
#6 Updated by drumfire _ over 11 years ago
Not sure if I should create a new bug report or not, please let me know if this is preferred over reopening this one.
While I noticed that the fix works for ICMP, I discovered that it does not yet work properly when --proto esp:
ip6tables -I INPUT 1 -i eth0 -p 0 -s <IP-A>/128 --sport 514 -d <IP-B>/60 -m policy --pol ipsec --proto esp --reqid 1 --dir in -j ACCEPT ip6tables v1.4.21: unknown option "--sport" Try `ip6tables -h' or 'ip6tables --help' for more information.
As an aside: I also noticed that the iptables line contains -p 0 first, and --proto esp later. It's no cause for concern but I wanted to point it out just in case.
Cheers
#7 Updated by Tobias Brunner over 11 years ago
Please open a new ticket. It looks like a different issue and it makes it easier to track.