diff --git a/libraries/helpers.rb b/libraries/helpers.rb index a6f1e56b..ae135a9d 100644 --- a/libraries/helpers.rb +++ b/libraries/helpers.rb @@ -48,7 +48,9 @@ def ipv4_rule?(new_resource) # ipv6-specific rule? def ipv6_rule?(new_resource) if (new_resource.source && IPAddr.new(new_resource.source).ipv6?) || - (new_resource.destination && IPAddr.new(new_resource.destination).ipv6?) + (new_resource.destination && IPAddr.new(new_resource.destination).ipv6?) || + new_resource.protocol =~ /ipv6/ || + new_resource.protocol =~ /icmpv6/ true else false diff --git a/libraries/resource_firewall_rule.rb b/libraries/resource_firewall_rule.rb index 40ddd78f..e243b06a 100644 --- a/libraries/resource_firewall_rule.rb +++ b/libraries/resource_firewall_rule.rb @@ -14,8 +14,8 @@ class Resource::FirewallRule < Chef::Resource::LWRPBase attribute(:command, kind_of: Symbol, equal_to: [:reject, :allow, :deny, :masquerade, :redirect, :log], default: :allow) attribute(:protocol, kind_of: [Integer, Symbol], default: :tcp, - callbacks: { 'must be either :tcp, :udp, :icmp, :none, or a valid IP protocol number' => lambda do |p| - !!(p.to_s =~ /(udp|tcp|icmp|none)/ || (p.to_s =~ /^\d+$/ && p.between?(0, 142))) + callbacks: { 'must be either :tcp, :udp, :icmp, :\'ipv6-icmp\', :icmpv6, :none, or a valid IP protocol number' => lambda do |p| + !!(p.to_s =~ /(udp|tcp|icmp|icmpv6|ipv6-icmp|none)/ || (p.to_s =~ /^\d+$/ && p.between?(0, 142))) end } ) diff --git a/recipes/default.rb b/recipes/default.rb index 23b995d9..6b68cdcb 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -46,3 +46,11 @@ command :allow only_if { node['firewall']['allow_established'] && iptables_firewall } end + +# ipv6 needs ICMP to reliably work, so ensure it's enabled if ipv6 +# allow established connections, ufw defaults to this but iptables does not +firewall_rule 'ipv6_icmp' do + protocol :'ipv6-icmp' + command :allow + only_if { node['firewall']['ipv6_enabled'] && node['firewall']['allow_established'] && iptables_firewall } +end diff --git a/test/integration/default/serverspec/firewalld_spec.rb b/test/integration/default/serverspec/firewalld_spec.rb index 994f2d33..7c8d25d2 100644 --- a/test/integration/default/serverspec/firewalld_spec.rb +++ b/test/integration/default/serverspec/firewalld_spec.rb @@ -16,6 +16,7 @@ %r{ipv4 filter INPUT 49 -s 192.168.99.99/32 -p tcp -m tcp -m comment --comment block-192.168.99.99 -j REJECT}, # ipv6 %r{ipv6 filter INPUT 50 -m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT}, + %r{ipv6 filter INPUT 50 -p ipv6-icmp -m comment --comment ipv6_icmp -j ACCEPT}, %r{ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment ssh22 -j ACCEPT}, %r{ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 2200,2222 -m comment --comment ssh2222 -j ACCEPT}, %r{ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1234 -m comment --comment temp1 -j DROP}, diff --git a/test/integration/default/serverspec/iptables_spec.rb b/test/integration/default/serverspec/iptables_spec.rb index 9d490be7..725d0e39 100644 --- a/test/integration/default/serverspec/iptables_spec.rb +++ b/test/integration/default/serverspec/iptables_spec.rb @@ -15,6 +15,7 @@ expected_ipv6_rules = [ %r{-A INPUT( -s ::/0 -d ::/0)? -m state --state RELATED,ESTABLISHED .*-j ACCEPT}, + %r{-A INPUT.* -p ipv6-icmp .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 22 .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 2200,2222 .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 1234 .*-j DROP}, diff --git a/test/integration/iptables/serverspec/default_spec.rb b/test/integration/iptables/serverspec/default_spec.rb index a047c02d..efaa79ac 100644 --- a/test/integration/iptables/serverspec/default_spec.rb +++ b/test/integration/iptables/serverspec/default_spec.rb @@ -11,6 +11,7 @@ ] expected_ipv6_rules = [ + %r{-A INPUT -p ipv6-icmp .* -j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 22 .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 2200,2222 .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 1234 .*-j DROP},