ipv6 #3

Open
jnorell opened this Issue Jan 14, 2014 · 5 comments

Comments

Projects
None yet
3 participants
Contributor

jnorell commented Jan 14, 2014

vzfirewall could use updating for ipv6 support

Owner

DmitryKoterov commented Jan 16, 2014

?

Contributor

jnorell commented Jan 21, 2014

We need ip6tables rules setup. On one of our machines running vzfirewall:

# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

No ipv6 firewall rules, but if you check, you'll find (possibly many) processes listening on ipv6, eg.

# netstat -ntau | grep ^tcp6 | grep LISTEN | sort -u
tcp6       0      0 :::110                  :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     
tcp6       0      0 :::143                  :::*                    LISTEN     
tcp6       0      0 ::1:6010                :::*                    LISTEN     
tcp6       0      0 ::1:6011                :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::25                   :::*                    LISTEN     
tcp6       0      0 :::443                  :::*                    LISTEN     
tcp6       0      0 :::8009                 :::*                    LISTEN     
tcp6       0      0 :::9080                 :::*                    LISTEN     
tcp6       0      0 :::993                  :::*                    LISTEN     
tcp6       0      0 :::995                  :::*                    LISTEN     

Our openvz hardware nodes are one firewall upgrade away from having live ipv6 connectivity, so this is something we'll need soon. Maybe in the short term we add a setting to block all IPv6 (just set chain policies to DROP)? Then keep that setting as a feature even in future versions when full ip6tables support is working.

Contributor

jnorell commented Jan 21, 2014

Implementation issues:

Address parsing, both the openvz container ip address (see https://openvz.org/IPv6) as well as addresses in firewall rules (resolve() function).

Custom rules will probably need a handle to specify if they're ipv4 or ipv6.

Need a second file to store ip6tables rules (eg. iptables-persistent uses /etc/iptables/rules.v6).

CoreTex commented Aug 30, 2014

Please implement ipv6 support. If you have configured one container with an ipv6 address, the whole firewall doesn't work.

Default action for incoming packets - reject.

-A INPUT -j vzfw-deny
-A FORWARD -j vzfw-deny
COMMIT
Testing new rules...
iptables-restore v1.4.14: host/network 2a01:xxxx:xxxx:xxxx::217' not found Error occurred at line: 95 Tryiptables-restore -h' or 'iptables-restore --help' for more information.
Test failed. Apply nothing.

Contributor

jnorell commented Apr 27, 2016

https://openvz.org/IPv6 says

IPv6 works best when veth devices are used to bridge VEs to their host.

With better veth support we can specify rules that match the CT interface, not specific IP addresses. Hopefully I'll have a pull request for that soon, then the remainder is just the config/syntax to specify rules for ipv4 vs. ipv6 vs. both, and then of course actually calling ip6tables.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment