iptables_parse is buggy for IPv6
ip6tables
doesn’t write anything in the opt
column in our
configuration, while iptables
prints --
, which iptables_parse
relies on, so all fields starting with opt
are shifted in the parsed
rule data structure:
And the firewall is configured to block all outgoing IPv6 traffic # features/step_definitions/tor.rb:146
{"rule"=>"0 0 ACCEPT tcp lo * ::1 ::1 tcp dpt:4101", "pkts"=>0, "target"=>"ACCEPT", "protocol"=>"tcp", "opt"=>"lo", "in_iface"=>"*", "out_iface"=>"::1", "source"=>"::1", "destination"=>"tcp", "extra"=>"dpt:4101"}
{"rule"=>"0 0 ACCEPT tcp lo * ::1 ::1 tcp spt:4101 state RELATED,ESTABLISHED", "pkts"=>0, "target"=>"ACCEPT", "protocol"=>"tcp", "opt"=>"lo", "in_iface"=>"*", "out_iface"=>"::1", "source"=>"::1", "destination"=>"tcp", "extra"=>"spt:4101 state RELATED,ESTABLISHED"}
The IPv6 table's INPUT chain contains some unexptected rules:
0 0 ACCEPT tcp lo * ::1 ::1 tcp dpt:4101
0 0 ACCEPT tcp lo * ::1 ::1 tcp spt:4101 state RELATED,ESTABLISHED.
This prevents us from adapting tor_enforcement.feature
for Jessie: we
would need to whitelist IPv6 traffic to lo there, because we had to
allow some of it to make Orca work.
Parent Task: #7563 (closed)
Original created by @intrigeri on 9704 (Redmine)