diff --git a/doc/ChangeLog b/doc/ChangeLog index a8312b48a..2c001c9b2 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,15 @@ 2010-10-29 Vadim Kurland + * PolicyCompiler_ipt.cpp (checkForStatefulICMP6Rules::processNext): + fixed SF bug 3094273 "no state needed for ipv6-icmp in + ip6tables". Rules that match ICMPv6 objects should be + stateless. Compiler will check for this and reset "stateful" flag + of a rule and issue warning if the rule was built stateful in the + GUI. This could be version-dependent, we may need to revisit this + in the future when netfilter fixes the underlying issue. Some + resources: https://bugzilla.redhat.com/show_bug.cgi?id=243739 + https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/479105 + * src/res/objects_init.xml.in: added ICMPv6 object "parameter problem" (type 4, any code) per SF feature request 3094743. Also added service group object "ipv6 unreachable messages" that diff --git a/src/iptlib/PolicyCompiler_ipt.cpp b/src/iptlib/PolicyCompiler_ipt.cpp index 743e7673d..b9e4391a2 100644 --- a/src/iptlib/PolicyCompiler_ipt.cpp +++ b/src/iptlib/PolicyCompiler_ipt.cpp @@ -3672,6 +3672,34 @@ bool PolicyCompiler_ipt::splitRuleIfSrvAnyActionReject::processNext() return true; } +/** + * objects in Srv must be of the same type by the time when we call + * this rule processor + */ +bool PolicyCompiler_ipt::checkForStatefulICMP6Rules::processNext() +{ + PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); + PolicyRule *rule = getNext(); if (rule==NULL) return false; + FWOptions *ruleopt = rule->getOptionsObject(); + + RuleElementSrv *srv = rule->getSrv(); + if (!srv->isAny()) + { + Service *s = Service::cast(FWReference::getObject(srv->front())); + assert(s); + if (ICMP6Service::isA(s) && ! ruleopt->getBool("stateless")) + { + compiler->warning( + rule, + "Making rule stateless because it matches ICMPv6"); + ruleopt->setBool("stateless",true); + } + } + + tmp_queue.push_back(rule); + return true; +} + /* * I am adding subrule suffix here, which I then use to generate * unique new chain name for this rule. The idea is to generate @@ -4535,6 +4563,7 @@ void PolicyCompiler_ipt::compile() add( new separatePortRanges("separate port ranges")); add( new separateUserServices("separate user services")); add( new separateSrcPort("split on TCP and UDP with source ports")); + add( new checkForStatefulICMP6Rules("Make sure rules that match icmpv6 are stateless")); // add( new optimize1( "optimization 1, pass 1" ) ); // add( new optimize1( "optimization 1, pass 2" ) ); diff --git a/src/iptlib/PolicyCompiler_ipt.h b/src/iptlib/PolicyCompiler_ipt.h index 4771d3af3..3c6d339d1 100644 --- a/src/iptlib/PolicyCompiler_ipt.h +++ b/src/iptlib/PolicyCompiler_ipt.h @@ -749,6 +749,19 @@ protected: }; friend class PolicyCompiler_ipt::splitServicesIfRejectWithTCPReset; + /** + * Rules that match icmpv6 should not be stateful. See SF bug 3094273 + * Will reset "stateful" flag and issue warning. + * Call this processor after groups have been expanded in Srv + */ + class checkForStatefulICMP6Rules :public PolicyRuleProcessor + { + public: + checkForStatefulICMP6Rules(const std::string &name) : PolicyRuleProcessor(name) {} + virtual bool processNext(); + }; + friend class PolicyCompiler_ipt::checkForStatefulICMP6Rules; + /** * This processor separates TCP/UDP services with port ranges * (they can not be used with multiport). It also separates diff --git a/test/ipt/objects-for-regression-tests.fwb b/test/ipt/objects-for-regression-tests.fwb index 229a8a39f..3a74f037f 100644 --- a/test/ipt/objects-for-regression-tests.fwb +++ b/test/ipt/objects-for-regression-tests.fwb @@ -143,6 +143,12 @@ + + + + + + @@ -205,6 +211,7 @@ + @@ -31859,7 +31866,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT% - + @@ -32003,6 +32010,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT% + @@ -32023,6 +32031,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT% + @@ -32043,10 +32052,190 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT% + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -32066,7 +32255,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT% - + @@ -32086,7 +32275,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT% - +