Skip to content
This repository has been archived by the owner on Sep 16, 2022. It is now read-only.

Fix issue with IPv6 and blocking #210

Closed
vpetersson opened this issue May 24, 2019 · 2 comments · Fixed by #214
Closed

Fix issue with IPv6 and blocking #210

vpetersson opened this issue May 24, 2019 · 2 comments · Fixed by #214

Comments

@vpetersson
Copy link
Contributor

When blocking an IPv6 IP, we get the following error:

pi@wott0:~ $ sudo wott-agent
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/iptc/ip4tc.py", line 1093, in set_dst
    daddr = _a_to_i(socket.inet_pton(socket.AF_INET, addr))
OSError: illegal IP address string passed to inet_pton

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/wott-agent", line 11, in <module>
    load_entry_point('wott-agent==0.1.5', 'console_scripts', 'wott-agent')()
  File "/usr/lib/python3/dist-packages/agent/__main__.py", line 43, in main
    run(ping=True, debug=args.debug, dev=args.dev)
  File "/usr/lib/python3/dist-packages/agent/__init__.py", line 423, in run
    send_ping(debug=debug, dev=dev)
  File "/usr/lib/python3/dist-packages/agent/__init__.py", line 276, in send_ping
    security_helper.block_ports(pong.get('block_ports', {'tcp': [], 'udp': []}))
  File "/usr/lib/python3/dist-packages/agent/security_helper.py", line 186, in block_ports
    update_iptables(TABLE, INPUT_CHAIN, rules)
  File "/usr/lib/python3/dist-packages/agent/security_helper.py", line 165, in update_iptables
    iptc_helper.add_rule(table, chain, r)
  File "/usr/lib/python3/dist-packages/agent/iptc_helper.py", line 84, in add_rule
    iptc_rule = encode_iptc_rule(rule_d, ipv6)
  File "/usr/lib/python3/dist-packages/agent/iptc_helper.py", line 339, in encode_iptc_rule
    _iptc_setrule(iptc_rule, name, rule_d[name])
  File "/usr/lib/python3/dist-packages/agent/iptc_helper.py", line 443, in _iptc_setrule
    _iptc_setattr(iptc_rule, name, value)
  File "/usr/lib/python3/dist-packages/agent/iptc_helper.py", line 434, in _iptc_setattr
    setattr(object, name, value)
  File "/usr/lib/python3/dist-packages/iptc/ip4tc.py", line 1095, in set_dst
    raise ValueError("invalid address %s" % (addr))
ValueError: invalid address ::1

Blocking IPv6 is unfortunately required for even blocking IPv4 traffic.
@a-martynovich
Copy link
Contributor

iptc.easy.add_rule needs to know if an address is v6 or not in advance.

So, for every block_networks and block_ports element there needs to be an IP version.

@vpetersson
Copy link
Contributor Author

We also need to add a column in the dashboard showing IPv4 or IPv6 (even if it is obvious to a trained eye).

@a-martynovich a-martynovich mentioned this issue May 27, 2019
Closed
@rptrchv rptrchv mentioned this issue May 28, 2019
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix issue with IPv6 and blocking GreatFruitOmsk/api
2 participants
@vpetersson @a-martynovich