[pve-devel] [PATCH 07/18] add icmpv6 support

Alexandre Derumier aderumier at odiso.com
Tue Jul 15 09:58:05 CEST 2014


skip icmpv6 rule for iptables rules
skip icmp rule for ip6tables rules

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   45 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index aaeec04..a0a65ad 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -618,6 +618,32 @@ my $icmp_type_names = {
     'address-mask-reply' => 1,
 };
 
+# ip6tables -p icmpv6 -h
+
+my $icmpv6_type_names = {
+    'any' => 1,
+    'destination-unreachable' => 1,
+    'no-route' => 1,
+    'communication-prohibited' => 1,
+    'address-unreachable' => 1,
+    'port-unreachable' => 1,
+    'packet-too-big' => 1,
+    'time-exceeded' => 1,
+    'ttl-zero-during-transit' => 1,
+    'ttl-zero-during-reassembly' => 1,
+    'parameter-problem' => 1,
+    'bad-header' => 1,
+    'unknown-header-type' => 1,
+    'unknown-option' => 1,
+    'echo-request' => 1,
+    'echo-reply' => 1,
+    'router-solicitation' => 1,
+    'router-advertisement' => 1,
+    'neighbour-solicitation' => 1,
+    'neighbour-advertisement' => 1,
+    'redirect' => 1,
+};
+
 sub init_firewall_macros {
 
     $pve_fw_parsed_macros = {};
@@ -704,6 +730,9 @@ sub get_etc_protocols {
 
     close($fh);
 
+    $protocols->{byid}->{icmpv6}->{name} = "icmpv6";
+    $protocols->{byname}->{icmpv6} = $protocols->{byid}->{icmpv6};
+
     $etc_protocols = $protocols;
 
     return $etc_protocols;
@@ -834,6 +863,8 @@ sub parse_port_name_number_or_range {
 	} else {
 	    if ($icmp_type_names->{$item}) {
 		$icmp_port = 1;
+	    }elsif ($icmpv6_type_names->{$item}) {
+		$icmp_port = 1;
 	    } else {
 		die "invalid port '$item'\n" if !$services->{byname}->{$item};
 	    }
@@ -1073,6 +1104,7 @@ sub verify_rule {
 
     my $allow_groups = $rule_env eq 'group' ? 0 : 1;
     my $ipversion = undef;
+    my $protoversion = undef;
 
     my $allow_iface = $rule_env_iface_lookup->{$rule_env};
     die "unknown rule_env '$rule_env'\n" if !defined($allow_iface); # should not happen
@@ -1154,6 +1186,8 @@ sub verify_rule {
     if ($rule->{proto}) {
 	eval { pve_fw_verify_protocol_spec($rule->{proto}); };
 	&$add_error('proto', $@) if $@;
+	$protoversion = '4' if($rule->{proto} eq 'icmp');
+	$protoversion = '6' if($rule->{proto} eq 'icmpv6');
     }
 
     if ($rule->{dport}) {
@@ -1196,8 +1230,13 @@ sub verify_rule {
 	}
     }
 
-    $rule->{errors} = $errors if $error_count;
+
+    &$add_error('proto', "proto version and ipversion are not the same") if $ipversion && $protoversion && $protoversion ne $ipversion;
     $rule->{ipversion} = $ipversion if $ipversion;
+    $rule->{ipversion} = $protoversion if $protoversion;
+
+    $rule->{errors} = $errors if $error_count;
+    
 
     return $rule;
 }
@@ -1451,6 +1490,10 @@ sub ruleset_generate_cmdstr {
 		# Note: we use dport to store --icmp-type
 		die "unknown icmp-type '$rule->{dport}'\n" if !defined($icmp_type_names->{$rule->{dport}});
 		push @cmd, "-m icmp --icmp-type $rule->{dport}";
+	    } elsif ($rule->{proto} && $rule->{proto} eq 'icmpv6') {
+		# Note: we use dport to store --icmpv6-type
+		die "unknown icmpv6-type '$rule->{dport}'\n" if !defined($icmpv6_type_names->{$rule->{dport}});
+		push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}";
 	    } else {
 		if ($nbdport > 1) {
 		    if ($multiport == 2) {
-- 
1.7.10.4



More information about the pve-devel mailing list