Open ICMP in ipv6, required

In ipv6, ICMP is required for all kinds of basic functionality. Unless someone has overriden `allow_established` to be false, open ICMP over IPv6. RE: #86, this goes towards that goal as well.
sous-chefs · Oct 15, 2015 · eec3674 · eec3674
1 parent 7278d0e
commit eec3674
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 3 deletions.
diff --git a/libraries/helpers.rb b/libraries/helpers.rb
@@ -48,7 +48,9 @@ def ipv4_rule?(new_resource)
     # ipv6-specific rule?
     def ipv6_rule?(new_resource)
       if (new_resource.source && IPAddr.new(new_resource.source).ipv6?) ||
-         (new_resource.destination && IPAddr.new(new_resource.destination).ipv6?)
+         (new_resource.destination && IPAddr.new(new_resource.destination).ipv6?) ||
+         new_resource.protocol =~ /ipv6/ ||
+         new_resource.protocol =~ /icmpv6/
         true
       else
         false

diff --git a/libraries/resource_firewall_rule.rb b/libraries/resource_firewall_rule.rb
@@ -14,8 +14,8 @@ class Resource::FirewallRule < Chef::Resource::LWRPBase
     attribute(:command, kind_of: Symbol, equal_to: [:reject, :allow, :deny, :masquerade, :redirect, :log], default: :allow)
 
     attribute(:protocol, kind_of: [Integer, Symbol], default: :tcp,
-                         callbacks: { 'must be either :tcp, :udp, :icmp, :none, or a valid IP protocol number' => lambda do |p|
-                           !!(p.to_s =~ /(udp|tcp|icmp|none)/ || (p.to_s =~ /^\d+$/ && p.between?(0, 142)))
+                         callbacks: { 'must be either :tcp, :udp, :icmp, :\'ipv6-icmp\', :icmpv6, :none, or a valid IP protocol number' => lambda do |p|
+                           !!(p.to_s =~ /(udp|tcp|icmp|icmpv6|ipv6-icmp|none)/ || (p.to_s =~ /^\d+$/ && p.between?(0, 142)))
                          end
       }
              )

diff --git a/recipes/default.rb b/recipes/default.rb
@@ -46,3 +46,11 @@
   command :allow
   only_if { node['firewall']['allow_established'] && iptables_firewall }
 end
+
+# ipv6 needs ICMP to reliably work, so ensure it's enabled if ipv6
+# allow established connections, ufw defaults to this but iptables does not
+firewall_rule 'ipv6_icmp' do
+  protocol :'ipv6-icmp'
+  command :allow
+  only_if { node['firewall']['ipv6_enabled'] && iptables_firewall }
+end
diff --git a/test/integration/default/serverspec/firewalld_spec.rb b/test/integration/default/serverspec/firewalld_spec.rb
@@ -16,6 +16,7 @@
   %r{ipv4 filter INPUT 49 -s 192.168.99.99/32 -p tcp -m tcp -m comment --comment block-192.168.99.99 -j REJECT},
   # ipv6
   %r{ipv6 filter INPUT 50 -m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT},
+  %r{ipv6 filter INPUT 50 -p ipv6-icmp -m comment --comment ipv6_icmp -j ACCEPT},
   %r{ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment ssh22 -j ACCEPT},
   %r{ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 2200,2222 -m comment --comment ssh2222 -j ACCEPT},
   %r{ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1234 -m comment --comment temp1 -j DROP},

diff --git a/test/integration/default/serverspec/iptables_spec.rb b/test/integration/default/serverspec/iptables_spec.rb
@@ -15,6 +15,7 @@
 
 expected_ipv6_rules = [
   %r{-A INPUT( -s ::/0 -d ::/0)? -m state --state RELATED,ESTABLISHED .*-j ACCEPT},
+  %r{-A INPUT.* -p ipv6-icmp .*-j ACCEPT},
   %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 22 .*-j ACCEPT},
   %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 2200,2222 .*-j ACCEPT},
   %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 1234 .*-j DROP},