From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 29 May 2010 09:49:29 +0000 (+0200)
Subject: ferm: always allow proto 41
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=15ccade5b7bd26ed13178eda5cb183fcf6c10a1b;p=dsa-puppet.git

ferm: always allow proto 41
---

diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf
index b5448b07..5f6e159f 100644
--- a/modules/ferm/files/ferm.conf
+++ b/modules/ferm/files/ferm.conf
@@ -45,6 +45,11 @@ domain (ip ip6) {
                       mod state state (ESTABLISHED RELATED) ACCEPT;
                       interface lo ACCEPT;
                       proto icmp ACCEPT;
+                      # some of our hosts (e.g. villa and lobos) do ipv6 via tunnels (proto 41)
+                      # this requires we allow proto ipv6 to work in all cases.
+                      # without this, ipv6 connectivity only works once the host itself
+                      # created some ipv6 connectivity to some place.
+                      proto ipv6 ACCEPT;
                       mod state state (INVALID) DROP;
               }
         }
@@ -58,3 +63,4 @@ domain (ip ip6) {
                 jump log_or_drop;
         }
 }
+# vim:set et: