Ensure CLAT-PLAT traffic is permitted in UFW
UFW is the standard local firewall framework in Debian-based distributions. If it is installed and active, add rules that permit routed traffic between the CLAT and the PLAT prefix. This traffic is dropped by the default UFW ruleset, leading to issues such as #42.
This commit is contained in:
Tore Anderson
2
Makefile
2
Makefile
@@ -22,6 +22,6 @@ installdeps:
|
||||
# .deb/apt-get based distros
|
||||
if test -x "$(APT_GET)"; then $(APT_GET) -y install perl-base perl-modules libnet-ip-perl libnet-dns-perl libio-socket-ip-perl iproute2 nftables tayga; fi
|
||||
# .rpm/DNF/YUM-based distros
|
||||
if test -x "$(DNF_OR_YUM)"; then $(DNF_OR_YUM) -y install perl perl-Net-IP perl-Net-DNS perl-IO-Socket-IP perl-File-Temp iproute nftables; fi
|
||||
if test -x "$(DNF_OR_YUM)"; then $(DNF_OR_YUM) -y install perl perl-IPC-Cmd perl-Net-IP perl-Net-DNS perl-IO-Socket-IP perl-File-Temp iproute nftables; fi
|
||||
# If necessary, try to install the TAYGA .rpm using dnf/yum. It is unfortunately not available in all .rpm based distros (in particular CentOS/RHEL).
|
||||
if test -x "$(DNF_OR_YUM)" && test ! -x "$(TAYGA)"; then $(DNF_OR_YUM) -y install tayga || echo "ERROR: Failed to install TAYGA using dnf/yum, the package is probably not included in your distro. Try enabling the EPEL repo <URL: https://fedoraproject.org/wiki/EPEL> and try again, or install TAYGA <URL: http://www.litech.org/tayga> directly from source."; exit 1; fi
|
||||
|
||||
12
README.pod
12
README.pod
@@ -262,6 +262,18 @@ L<https://nftables.org/projects/nftables/>. Required if I<ctmark> is set.
|
||||
Path to the B<tayga> binary from the TAYGA package available at
|
||||
L<http://www.litech.org/tayga>. Required.
|
||||
|
||||
=item B<cmd-ufw=path> (default: assume in $PATH)
|
||||
|
||||
Path to the B<ufw> binary from the UFW local firewall framework available at
|
||||
L<https://launchpad.net/ufw> commonly seen on Debian-based distributions. If
|
||||
this command is present on the system, and B<ufw status> reports that the
|
||||
firewall is active, B<clatd> will add firewall rules ensuring traffic between
|
||||
the CLAT and the PLAT prefix is allowed when it is starting up, and remove them
|
||||
when it is shutting down.
|
||||
|
||||
If you don't want B<clatd> to add and remove UFW firewall rules, set this to an
|
||||
empty string.
|
||||
|
||||
=item B<forwarding-enable=bool> (default: I<yes>)
|
||||
|
||||
Controls whether or not B<clatd> should enable IPv6 forwarding if necessary.
|
||||
|
||||
35
clatd
35
clatd
@@ -24,6 +24,7 @@
|
||||
# clatd(8) for more information.
|
||||
#
|
||||
use strict;
|
||||
use IPC::Cmd qw(can_run);
|
||||
use Net::IP;
|
||||
|
||||
my $VERSION = "1.6nat46";
|
||||
@@ -43,6 +44,7 @@ $CFG{"dns64-servers"} = undef; # use system resolver by default
|
||||
$CFG{"cmd-ip"} = "ip"; # assume in $PATH
|
||||
$CFG{"cmd-nft"} = "nft"; # assume in $PATH
|
||||
$CFG{"cmd-tayga"} = "tayga"; # assume in $PATH
|
||||
$CFG{"cmd-ufw"} = "ufw"; # assume in $PATH
|
||||
$CFG{"ctmark"} = undef; # match ctmark for routing pkts to CLAT
|
||||
$CFG{"forwarding-enable"} = 1; # enable ipv6 forwarding?
|
||||
$CFG{"plat-dev"} = undef; # PLAT-facing device, default detect
|
||||
@@ -604,6 +606,7 @@ my $cleanup_zero_proxynd_sysctl; # zero proxy_ndp sysctl if set
|
||||
my $cleanup_remove_proxynd_entry, # true if having added proxynd entry
|
||||
my $cleanup_remove_nftable; # true if having added an nftable
|
||||
my $cleanup_remove_clat_iprule; # true if having added clat iprule
|
||||
my $cleanup_remove_ufw_rules; # true if having added ufw rules
|
||||
my $cleanup_restore_local_iprule_prio; # true if having reordered local iprule
|
||||
my @cleanup_restore_v4_defaultroutes; # temporarily replaced defaultroutes
|
||||
|
||||
@@ -662,6 +665,14 @@ sub cleanup_and_exit {
|
||||
d("Cleanup: Removing ip rule for redirecting inbound traffic to CLAT");
|
||||
cmd(\&w, cfg("cmd-ip"), qw(-6 rule del prio 0 table), cfg("route-table"));
|
||||
}
|
||||
if(defined($cleanup_remove_ufw_rules)) {
|
||||
cmd(\&w, cfg("cmd-ufw"), qw(route delete allow in on), cfg("clat-dev"),
|
||||
"from", cfg("clat-v6-addr"), qw(out on), cfg("plat-dev"), "to",
|
||||
cfg("plat-prefix"));
|
||||
cmd(\&w, cfg("cmd-ufw"), qw(route delete allow in on), cfg("plat-dev"),
|
||||
"from", cfg("plat-prefix"), qw(out on), cfg("clat-dev"), "to",
|
||||
cfg("clat-v6-addr"));
|
||||
}
|
||||
|
||||
exit($exitcode);
|
||||
}
|
||||
@@ -885,6 +896,30 @@ if(cfgbool("forwarding-enable")) {
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Add firewall rules to allow PLAT-CLAT traffic if a supported local firewall
|
||||
# framework is present and active
|
||||
#
|
||||
if(can_run(cfg("cmd-ufw"))) {
|
||||
open(my $fd, '-|', cfg("cmd-ufw"), "status")
|
||||
or err("'ufw status' failed to execute");
|
||||
while(<$fd>) {
|
||||
if(/^Status: active$/) {
|
||||
p("UFW local firewall framework active, allowing CLAT-PLAT traffic");
|
||||
cmd(\&err, cfg("cmd-ufw"), qw(route allow in on), cfg("clat-dev"),
|
||||
"from", cfg("clat-v6-addr"), qw(out on), cfg("plat-dev"), "to",
|
||||
cfg("plat-prefix"));
|
||||
cmd(\&err, cfg("cmd-ufw"), qw(route allow in on), cfg("plat-dev"),
|
||||
"from", cfg("plat-prefix"), qw(out on), cfg("clat-dev"), "to",
|
||||
cfg("clat-v6-addr"));
|
||||
$cleanup_remove_ufw_rules = 1;
|
||||
}
|
||||
}
|
||||
close($fd) or err("'ufw status' failed");
|
||||
} else {
|
||||
d("UFW command '", cfg("cmd-ufw"), "' not found, not installing UFW rules");
|
||||
}
|
||||
|
||||
#
|
||||
# Enable ND proxy for the CLAT's IPv6 address on the interface facing the PLAT
|
||||
#
|
||||
|
||||
Reference in New Issue
Block a user