|
 |
3d17f4 |
commit 5e0b34d6492109e5039cb367a97a1a4564a1c545
|
|
|
3d17f4 |
Author: Jiri Popelka <jpopelka@redhat.com>
|
|
|
3d17f4 |
Date: Wed Dec 3 18:28:17 2014 +0100
|
|
|
3d17f4 |
|
|
|
3d17f4 |
Don't use ipv6header for protocol matching. (RHBZ#1065565)
|
|
|
3d17f4 |
|
|
|
3d17f4 |
for example
|
|
|
3d17f4 |
ip6tables -m ipv6header --header tcp -j ACCEPT
|
|
|
3d17f4 |
doesn't work even iptables-extensions(8) claims:
|
|
|
3d17f4 |
'A protocol name from /etc/protocols and numeric value also allowed.'
|
|
|
3d17f4 |
|
|
|
3d17f4 |
It might be a bug in iptables, but I think using ipv6header just for
|
|
|
3d17f4 |
protocol matching is overkill anyway and using --protocol should be fine.
|
|
|
3d17f4 |
|
|
|
3d17f4 |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
3d17f4 |
index cb7b7c9..ed6e995 100644
|
|
|
3d17f4 |
--- a/src/firewall/core/fw_zone.py
|
|
|
3d17f4 |
+++ b/src/firewall/core/fw_zone.py
|
|
|
3d17f4 |
@@ -798,10 +798,7 @@ class FirewallZone:
|
|
|
3d17f4 |
if proto in [ "tcp", "udp" ]:
|
|
|
3d17f4 |
command += [ "-m", proto, "-p", proto ]
|
|
|
3d17f4 |
else:
|
|
|
3d17f4 |
- if ipv == "ipv4":
|
|
|
3d17f4 |
- command += [ "-p", proto ]
|
|
|
3d17f4 |
- else:
|
|
|
3d17f4 |
- command += [ "-m", "ipv6header", "--header", proto ]
|
|
|
3d17f4 |
+ command += [ "-p", proto ]
|
|
|
3d17f4 |
if port:
|
|
|
3d17f4 |
command += [ "--dport", "%s" % portStr(port) ]
|
|
|
3d17f4 |
if ipv in svc.destination and svc.destination[ipv] != "":
|
|
|
3d17f4 |
@@ -1092,10 +1089,7 @@ class FirewallZone:
|
|
|
3d17f4 |
if proto in [ "tcp", "udp" ]:
|
|
|
3d17f4 |
rule += [ "-m", proto, "-p", proto ]
|
|
|
3d17f4 |
else:
|
|
|
3d17f4 |
- if ipv == "ipv4":
|
|
|
3d17f4 |
- rule += [ "-p", proto ]
|
|
|
3d17f4 |
- else:
|
|
|
3d17f4 |
- rule += [ "-m", "ipv6header", "--header", proto ]
|
|
|
3d17f4 |
+ rule += [ "-p", proto ]
|
|
|
3d17f4 |
if port:
|
|
|
3d17f4 |
rule += [ "--dport", "%s" % portStr(port) ]
|
|
|
3d17f4 |
if ipv in svc.destination and svc.destination[ipv] != "":
|