"with knock" and IPv6

[maleadt]

Hi,

Port knocking seems partially broken in firehol 2.0.0 rc2, because of the knock chain not being added for IPv6 traffic. I.e., using server ssh accept with knock admin, I get the following error:

WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : line 38 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A in_world_ssh_s7 -p tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW\,ESTABLISHED -j knock_admin 
OUTPUT  : 

ip6tables v1.4.14: Couldn't load target `knock_admin':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

Which is explained by examining the debug output: firehol only adds the knock_admin chain using iptables, and not using ip6tables

# CONF: 38>>>           server ssh accept with knock admin 


# INFO>>> Preparing for service 'ssh' of type 'server' under interface 'world'

# INFO>>> Creating chain 'in_world_ssh_s7' under 'in_world' in table 'filter'
/sbin/iptables -t filter -N in_world_ssh_s7 
/sbin/ip6tables -t filter -N in_world_ssh_s7 
/sbin/iptables -t filter -A in_world -j in_world_ssh_s7 
/sbin/ip6tables -t filter -A in_world -j in_world_ssh_s7 

# INFO>>> Creating chain 'out_world_ssh_s7' under 'out_world' in table 'filter'
/sbin/iptables -t filter -N out_world_ssh_s7 
/sbin/ip6tables -t filter -N out_world_ssh_s7 
/sbin/iptables -t filter -A out_world -j out_world_ssh_s7 
/sbin/ip6tables -t filter -A out_world -j out_world_ssh_s7 

[philwhineray]

Hi

Thanks for the report.

Could you try the build from here a go if you have the opportunity? I think this should have gotten fixed at the same time as #38

[maleadt]

That build fixes the issue indeed, thanks!