#21 No need for ipv6 in script when not using it

closed-postponed
None
1
2011-12-23
2010-01-21
No

On Linux, the compiled script includes ipv6 informations, even when it's disabled.
fwbuilder-3.0.7/src/ipt/OSConfigurator_linux24.cpp
lines 670, 672: defines ip6 utils
maybe protecting it with
if ( ipv6->isChecked() ) {
res += "IP6TABLES=\""+path_ip6tables+"\"\n";
res += "IP6TABLES_RESTORE=\""+path_ip6tables_restore+"\"\n";
}

Also, a little below, from line 688 it loads every conntrack module it can find... including the ipv6 one, which can not be rmmod-ed.

What about this:
@@ -685,6 +697,9 @@
}

output << "for module in $MODULES; do " << endl;

output << " if $LSMOD | grep ${module} >/dev/null; then continue; fi" << endl;
+ if ( ipv6->isChecked()) {
+ output << " if echo ${module} | grep -i ipv6; then continue; fi" << endl;
+ }
output << " $MODPROBE ${module} || exit 1 " << endl;
output << "done" << endl;

Discussion

  • Vadim Kurland

    Vadim Kurland - 2010-01-21

    when you refer to ipv6 being disabled, what do you mean ? Also I suppose the "ipv6->isChecked() " is just an idea, a concept, because this code line would not work like that.

     
  • Vadim Kurland

    Vadim Kurland - 2010-01-21
    • assigned_to: nobody --> vkurland
     
  • Arnaud Launay

    Arnaud Launay - 2010-01-21

    I mean, err, ipv6 not being checked in the compiled rules, item

    "# feature request #2431602: "Feature request: Unified policies (IPv4/v6)". RuleSet object now has two variables that define which address family it should be compiled for - ipv4 or ipv6. It is possible to have both set, in which case the same ruleset will be compiled for both address families. "

    If ipv6 is *not* selected, the script knows it should not mess with loading ipv6 things.
    Might also be the concept of "ipv4 only host".

    And yes, it's just a concept, I'm unsure how to use that feature, maybe with m_dialog->ipv4_6_rule_set->currentIndex ?

    In fact, my concept is wrong, the if in C should be negated, we grep ipv6 out only if it's not used :)

    If you think this could be interesting, I'll look into doing a clean patch, I just need to find out how to determine the used ruleset.

     
  • Vadim Kurland

    Vadim Kurland - 2010-01-22
    • priority: 5 --> 1
    • status: open --> open-postponed
     
  • Arnaud Launay

    Arnaud Launay - 2010-02-02

    Ok, I began to look at fwbuilder4... Seems to me that the conditional language is missing a "not", "and" or "else" construct, right ?

    I can't write:

    {{if ipv6}}
    loadallmodules
    { {else}}
    loadonlyipv4

    or

    {{if ipv6 AND ipv4}}

    or

    {{if ! ipv6 }}

    Right ?

     
  • Vadim Kurland

    Vadim Kurland - 2010-02-02

    yes, sorry. At this time macro language is rather limited, there is no "else" and "not" and other logical operators.

     
  • Arnaud Launay

    Arnaud Launay - 2010-02-03

    Don't load ipv6 modules in ipv4 mode

     
  • Arnaud Launay

    Arnaud Launay - 2010-02-03

    Drop white spaces at end of lines

     
  • Arnaud Launay

    Arnaud Launay - 2010-02-03

    Ok, patch included, though untested.

    Notes:
    - uses GNU grep. I think this is a reasonable expectations on Linux systems, which are the target.
    - code *won't* try to load modules twice, as the lsmod test is done before
    (and anyway, under Linux, trying to load a module a second time doesn't do anything, so no wrong anyway)

    I included a second patch to drop the useless whitespaces at end of lines; I could open a new bug and do it for every source file if you want.

     
  • Vadim Kurland

    Vadim Kurland - 2010-02-04

    the patch won't work as written because variables "ipv4" and "ipv6" are not assigned any values.

    btw you can test this if you create directory fwbuilder/configlets in your home directory and then reproduce relative path to the configlet inside of it. That is, for this one the path has to be $HOME/fwbuilder/configlets/linux24/load_modules

    The problem here is that the object that generates script for all sorts of supporting OS configuration, including loading modules, is created once and is independent of the policy compiler objects. Policy compiler objects are aware of what address family the policy is being compiled for, ipv4 or ipv6, but since there is only one general OS configurator object, it has no information whether any ipv6 policies exist at all.

    It is not impossible to do though. The implementation should be similar to how it now checks if it needs to load modules for NAT. The C++ code checks if it has any NAT rules and passes the flag as a parameter to the load_modules function. There should be another flag like that to signal that we have some ipv6 rules and another parameter to the load_modules function to act on it.

     
  • Vadim Kurland

    Vadim Kurland - 2011-12-23
    • status: open-postponed --> closed-postponed
     
  • Vadim Kurland

    Vadim Kurland - 2011-12-23

    script generated with fwbuilder5 does not touch ipv6 iptables configuration if no ipv6 rules were configured in the gui

     

Log in to post a comment.