From 026185195bb8dbb4862e5cb82677141661fe554f Mon Sep 17 00:00:00 2001
From: bbruns <bbruns@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Tue, 22 Feb 2011 18:55:52 +0000
Subject: [PATCH] More code to support ipv* allowed files

---
 bin/firewall-sosdg        | 51 +++++++++++++++++++++++++++++++++++++++
 conf/ipv6-allowed.default |  7 ++++++
 options.default           |  5 ++++
 3 files changed, 63 insertions(+)
 create mode 100644 conf/ipv6-allowed.default

diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg
index 7ba97b6..ef8012e 100755
--- a/bin/firewall-sosdg
+++ b/bin/firewall-sosdg
@@ -943,6 +943,57 @@ fi
 		display_c YELLOW "Loading custom IPv6 allowed port rules..."
 		. "$BASEDIR/include/ipv6_custom_allowedports"
 	fi
+	
+	if [ "$IPV6_ALLOWED" ]; then
+	display_c YELLOW "Adding allowed IPv6 IPs and ports... "
+	for i in `grep -v "\#" $IPV6_ALLOWED`; do
+		if [[ "$i" =~ "|" ]]; then
+			IFS_OLD=${IFS};IFS=\|
+			ADVALLOWIP=($i)
+			IFS=${IFS_OLD}
+			SRCIF=${ADVALLOWIP[0]}
+			SRCIP=${ADVALLOWIP[1]}
+			SRCPORT=${ADVALLOWIP[2]}
+			DSTIF=${ADVALLOWIP[3]}
+			DSTIP=${ADVALLOWIP[4]}
+			DSTPORT=${ADVALLOWIP[5]}
+			DIRECTION=${ADVALLOWIP[6]}
+			PROTO=${ADVALLOWIP[7]}
+			if [ "$SRCIF" ]; then
+				SRCIF="-i ${SRCIF} "
+			fi
+			if [ "$SRCIP" ]; then
+				SRCIP="-s ${SRCIP} "
+			fi
+			if [ "$SRCPORT" ]; then
+				SRCPORT="--sport ${SRCPORT/-/:} "
+			fi
+			if [ "$DSTIF" ]; then
+				DSTIF="-o ${DSTIF} "
+			fi
+			if [ "$DSTIP" ]; then
+				DSTIP="-d ${DSTIP} "
+			fi
+			if [ "$DSTPORT" ]; then
+				DSTPORT="--dport ${DSTPORT/-/:} "
+			fi
+			if [ "$PROTO" ]; then
+				case $PROTO in
+					TCP|tcp) PROTO="-p tcp";;
+					UDP|udp) PROTO="-p udp";;
+					*) PROTO="-p ${PROTO}";;
+				esac
+			fi
+			case $DIRECTION in
+				IN) DIRECTION="INPUT" ;;
+				OUT) DIRECTION="OUTPUT" ;;
+				FWD) DIRECTION="FORWARD" ;;
+				*) DIRECTION="INPUT" ;;
+			esac
+			${IP6TABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j ACCEPT
+		fi
+	done
+  fi
 	if [ "$IPV6_TCPPORTS" ] || [ "$IPV6_UDPPORTS" ]; then
 		display_c YELLOW "Adding allowed IPv6 port: " N
 		if [ "$IPV6_TCPPORTS" ]; then
diff --git a/conf/ipv6-allowed.default b/conf/ipv6-allowed.default
new file mode 100644
index 0000000..11bf6ce
--- /dev/null
+++ b/conf/ipv6-allowed.default
@@ -0,0 +1,7 @@
+# List of IPs to allow
+# One ip or range per line with added specific IN/OUT/FWD and TCP/UDP port (added in 0.9.8)
+#		<SRC IF>|<SRC IP>|<SRC PORT RNG>|<DST IF>|<DST IP>|<DST PORT RNG>|<IN/OUT/FWD>|<PROTO>
+# One can leave out <SRC IF> <SRC IP> <SRC PORT RNG> <DST IF> <DST IP> <DST PORT RNG> 
+# if you want to apply to all ports/interfaces/etc
+# Example:
+#  eth1|::1|80|eth0|2001::1|20-21|IN|TCP
diff --git a/options.default b/options.default
index 6156aba..7cff111 100755
--- a/options.default
+++ b/options.default
@@ -238,6 +238,11 @@ IPV6_PFORWARD=DROP
 #IPV6_TCPPORTS=$TCPPORTS
 #IPV6_UDPPORTS=$UDPPORTS
 
+# Allowed IPv6 IPs and ports
+# this is a more advanced form of IPV6_TCPPORTS and IPV6_UDPPORTS,
+# and will eventually replace it
+#IPV6_ALLOWED=$BASEDIR/conf/ipv6-allowed
+
 # IPv6 range to forward
 #IPV6_FORWARDRANGE=""