Skip to content

iptables_parse is buggy for IPv6

ip6tables doesn’t write anything in the opt column in our configuration, while iptables prints --, which iptables_parse relies on, so all fields starting with opt are shifted in the parsed rule data structure:

    And the firewall is configured to block all outgoing IPv6 traffic                                                            # features/step_definitions/tor.rb:146
      {"rule"=>"0     0 ACCEPT     tcp      lo     *       ::1                  ::1                  tcp dpt:4101", "pkts"=>0, "target"=>"ACCEPT", "protocol"=>"tcp", "opt"=>"lo", "in_iface"=>"*", "out_iface"=>"::1", "source"=>"::1", "destination"=>"tcp", "extra"=>"dpt:4101"}
      {"rule"=>"0     0 ACCEPT     tcp      lo     *       ::1                  ::1                  tcp spt:4101 state RELATED,ESTABLISHED", "pkts"=>0, "target"=>"ACCEPT", "protocol"=>"tcp", "opt"=>"lo", "in_iface"=>"*", "out_iface"=>"::1", "source"=>"::1", "destination"=>"tcp", "extra"=>"spt:4101 state RELATED,ESTABLISHED"}
      The IPv6 table's INPUT chain contains some unexptected rules:
      0     0 ACCEPT     tcp      lo     *       ::1                  ::1                  tcp dpt:4101
      0     0 ACCEPT     tcp      lo     *       ::1                  ::1                  tcp spt:4101 state RELATED,ESTABLISHED.

This prevents us from adapting tor_enforcement.feature for Jessie: we would need to whitelist IPv6 traffic to lo there, because we had to allow some of it to make Orca work.

Parent Task: #7563 (closed)

Original created by @intrigeri on 9704 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information