CSF does not add UID based IPv6 rules

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
fln
Junior Member
Posts: 1
Joined: 16 May 2023, 08:31

CSF does not add UID based IPv6 rules

Post by fln »

Adding the following rules to /etc/csf/csf.allow:

Code: Select all

tcp|out|u=0
udp|out|u=0
Adds the following rules to iptables:

Code: Select all

# iptables-save | grep 'ALLOWOUT .*uid-owner'
-A ALLOWOUT ! -o lo -p udp -m owner --uid-owner 0 -j ACCEPT
-A ALLOWOUT ! -o lo -p tcp -m owner --uid-owner 0 -j ACCEPT
But does not add the same rules to ip6tables:

Code: Select all

# ip6tables-save | grep 'ALLOWOUT .*uid-owner'
There is no other way to express that we want UID based rules to be applied to IPv6 as well.

The problem could be fixed by patching main csf script to add UID based rules via ip6tables as well:

Code: Select all

# diff -u /usr/sbin/csf.orig /usr/sbin/csf
--- /usr/sbin/csf.orig	2023-04-18 12:02:42.000000000 +0200
+++ /usr/sbin/csf	2023-05-11 15:41:10.674793278 +0200
@@ -3663,11 +3663,20 @@
 			} else {
 				if ($chain) {
 					&syscommand(__LINE__,"$iptables $config{IPTABLESWAIT} $verbose -A $chainout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+					if ($config{IPV6}) {
+						&syscommand(__LINE__,"$config{IP6TABLES} $config{IPTABLESWAIT} $verbose -A $chainout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+					}
 				} else {
 					if ($delete) {
 						&syscommand(__LINE__,"$iptables $config{IPTABLESWAIT} $verbose -D $localout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+						if ($config{IPV6}) {
+							&syscommand(__LINE__,"$config{IP6TABLES} $config{IPTABLESWAIT} $verbose -D $localout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+						}
 					} else {
 						&syscommand(__LINE__,"$iptables $config{IPTABLESWAIT} $verbose $inadd $localout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+						if ($config{IPV6}) {
+							&syscommand(__LINE__,"$config{IP6TABLES} $config{IPTABLESWAIT} $verbose $inadd $localout $lineout $protocol $dport -m owner $uid $gid -j $pktout");
+						}
 					}
 				}
 			}
This issue causes some problems (and different IPv4/IPv6 behaviour) on dual-stack servers. Would it be possible to fix this issue?
nsc
Junior Member
Posts: 4
Joined: 07 Sep 2014, 22:11

Re: CSF does not add UID based IPv6 rules

Post by nsc »

+1
We had those issues with ipv6 connectivity as well.
Thanks for the patch!
Post Reply