CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: IPv6, Enabling on Splat, IPs, Routes

  1. #1
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    14

    Default IPv6, Enabling on Splat, IPs, Routes

    I'm beginning my walk toward IPv6.
    I'm not a big fan of CheckPoint's configuration method while we wait for netconf.C to include IPv6 support.
    I've written two init scripts. One to load the ipv6 kernel module and tune some kernel options; and one to load in IPv6 addresses and IPv6 routes so they survive reboots.

    The first script, /etc/init.d/ipv6mod, loads before network so some default ipv6 options can be adjusted before the network interfaces are brought up.

    The second script, /etc/init.d/ipv6, reads in two files, /etc/sysconfig/interfaces6 and /etc/sysconfig/routes6.

    As with all my efforts, these scripts allow comment/descriptions in the config files.



    Format of the configuration files.


    /etc/sysconfig/interfaces6

    <interface name> <IPv6 address/prefix> # comment

    Code:
    eth0 2001:db8::1/64
    eth1 2001:db8:1:1/64
    eth2 2001:db8:2::1/64
    eth3 2001:db8:13::1/64 # DMZ 1 comment
    eth3 2001:db8:23::1/64 # DMZ 2 also on eth3
    /etc/sysconfig/routes6

    <network/prefix> <next hop> <interface, if next hop is link local> # comment/description

    Code:
    2001:db8::100::/64 2001:db8::256
    2001:db8::200::/64 2001:db8:1:A # comment
    2001:db8::300::/64 fe80::1 eth2 # route using link local ip as next hop gateway, requires interface
    2001:db8::400::/64 2001:db8:2::100 # try to begin comments with a hash

    Installation:

    Copy the init scripts to /etc/init.d/.
    Change to permissions.

    Code:
    chmod 755 ipv6mod
    chmod 755 ipv6
    Use chkconfig to enable the scripts to run during boot.

    Code:
    chkconfig ipv6mod on
    chkconfig ipv6 on
    Create the /etc/sysconfig/interfaces6 and, if needed, the /etc/sysconfig/routes6 file.




    /etc/init.d/ipv6mod

    Code:
    #!/bin/bash
    
    # chkconfig: 2345 9 92
    # description: Enable IPv6 and configure ipv6 kernel options before the network starts
    
    
    prog="IPv6mod"
    
    start()
    {
            # Load IPv6 kernel module
    	# modprobe will check if the module is already loaded, no harm done if executed multiple times
    
            echo -n $"Starting $prog:"
    	modprobe ipv6
    
    	# Disable action on reception of router advertisements.
    	sysctl -w net.ipv6.conf.all.accept_ra=0
    	sysctl -w net.ipv6.conf.default.accept_ra=0
    	# Disable auto configution of interfaces
    	sysctl -w net.ipv6.conf.all.autoconf=0
    	sysctl -w net.ipv6.conf.default.autoconf=0
    
    }
    
    stop()
    {
            echo -n $"Stopping $prog:"
    }
    
    
    
    
    
    case "$1" in
            start)
                    start
                    ;;
            stop)
    		# Nothing to do
                    #stop
                    ;;
    	status)
    		# Nothing to do
                    ;;
            *)
                    echo $"Usage: $0 {start|stop|status}"
    esac

    /etc/sysconfig/ipv6

    Code:
    #!/bin/bash
    
    # chkconfig: 2345 11 92
    # description: Configure IPv6 interfaces and routes
    
    
    
    int6=/etc/sysconfig/interfaces6
    route6=/etc/sysconfig/routes6
    prog="IPv6"
    
    start()
    {
    
    
    	if [ -e "${int6}" ]; then
    		# Configure interfaces
    		while read intfaceline
    		do
    
    			# Take only the first two elements, so the rest can be comments/details/description.
    			ifinfo=(`echo $intfaceline | awk '{ print $1 " " $2 }'`)
    
    			if [ -n "${ifinfo[0]}" ]; then
    				ifname=${ifinfo[0]}
    				ifaddr=${ifinfo[1]}
    
    				/sbin/ip -f inet6 address add ${ifaddr} dev ${ifname}
    			fi
    
    
    		done<${int6}
    
    		ifname=""
    		ifaddr=""
    
    	fi
    
    
    
    	if [ -e "${route6}" ]; then
    		# Configure routes
    		while read routeline
    		do
    
    			# Take only the first two elements, so the rest can be comments/details/description.
    			rtinfo=(`echo $routeline | awk '{ print $1 " " $2 " " $3 }'`)
    
    			if [ -n "${rtinfo[0]}" ]; then
    				rtnet=${rtinfo[0]}
    				rtgw=${rtinfo[1]}
    				ifname=${rtinfo[2]}
    
    				# Check if third element is null and not a hash
    				# If third element is present and not a hash, assume it is a interface name
    				# Routes that use a link local address require the interface/device
    				if [ -n "${ifname}" -a "${ifname}" != "#" ]; then
    					# 
    					/sbin/ip -f inet6 route add ${rtnet} via ${rtgw} dev ${ifname}
    				else
    					# Third element is not present, assume route has a global ip as gateway/via
    					/sbin/ip -f inet6 route add ${rtnet} via ${rtgw}
    				fi
    			fi
    
    
    		done<${route6}
    	fi
    
    }
    
    stop()
    {
            echo -n $"Stopping $prog:"
    }
    
    
    
    
    
    case "$1" in
            start)
                    start
                    ;;
            stop)
    		# Nothing to do
                    #stop
                    ;;
    	status)
    		# Nothing to do
                    ;;
            *)
                    echo $"Usage: $0 {start|stop|status}"
    esac

    Let me know what you think.. Change them as needed, and please let me know if you've improved upon them.
    Last edited by alienbaby; 2010-10-20 at 16:22.

  2. #2
    Join Date
    2007-10-29
    Location
    Rebstein / Switzerland
    Posts
    5
    Rep Power
    0

    Default Re: IPv6, Enabling on Splat, IPs, Routes

    Hello alienbaby

    Looks great. Thanks for your work. I'll try it on my new R70.1 Gateway. I'm also not happy with the way Checkpoint is handling the standards around linux configuration.

    I guess the was desicribed here:
    Red Hat / CentOS IPv6 Network Configuration
    is not possible, because checkpoint overwrites the network scripts?

    Regards

    nzjunky

  3. #3
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    14

    Default Re: IPv6, Enabling on Splat, IPs, Routes

    Has anyone else used these scripts? Any feedback?

    I'm about to actually get around to using them in production.

  4. #4
    Join Date
    2010-02-25
    Posts
    9
    Rep Power
    0

    Default Re: IPv6, Enabling on Splat, IPs, Routes

    Worked like a charm on SPLAT R65. The interfaces and routes are easy to configure and survive reboot. Thanks for this!

  5. #5
    Join Date
    2009-08-07
    Posts
    9
    Rep Power
    0

    Default Re: IPv6, Enabling on Splat, IPs, Routes

    I'll add Tobias Lachmann's great presentation from this years CPUGCON to this thread, as it is readilly available from his blog:
    http://blog.lachmann.org/2011-09-06_...y_Gateways.pdf

    His method seems to differ a little?

  6. #6
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    14

    Default Re: IPv6, Enabling on Splat, IPs, Routes

    Quote Originally Posted by Battou View Post
    I'll add Tobias Lachmann's great presentation from this years CPUGCON to this thread, as it is readilly available from his blog:
    http://blog.lachmann.org/2011-09-06_...y_Gateways.pdf

    His method seems to differ a little?
    The site seems to be dead at the moment.

Similar Threads

  1. Routes lost when rebooting VM Splat
    By Maybedave in forum VMware
    Replies: 13
    Last Post: 2010-06-01, 01:40
  2. Could splat support more then 2 default routes?
    By shmilyh in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2010-01-22, 23:38
  3. enabling synch on R65 Splat
    By archie100 in forum Installing And Upgrading
    Replies: 0
    Last Post: 2009-01-27, 06:37
  4. Has anyone had all OSPF routes vanish in SPLAT?
    By FDDIcent in forum Dynamic Routing
    Replies: 2
    Last Post: 2008-05-15, 15:10
  5. Enabling IPv6
    By tgbayly in forum IPv6
    Replies: 6
    Last Post: 2006-08-13, 18:51

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •