Add LIMIT rule for ipv6

limit was not always supported with IPv6. It seems to be now, so ufw should use it when it is supported by iptables.

Any idea what the best way to check if IPv6 LIMIT is supported?

What should happen is at the time of the check, ufw should:
1. add a test chain that isn't referenced by anything: ip6tables -N ufw6-test
2. Add test rules to the test chain:
ip6tables -A ufw6-test -m state --state NEW -m recent --set
ip6tables -A ufw6-test -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
3. Clean up the test chain
ip6tables -F ufw6-test
ip6tables -X ufw6-test

If the test rules load in step 2, then we have the support we need for limit to work.

Actually, it isn't quite that simple. We need to do the above, but the code needs to be adjusted to handle it as there are several places the code avoids ufw6 chains when dealing with limit rules.

Having a way to get the capabilities set of the running system is something that has been needed for a long time. This is now implemented in trunk in ufw.util.get_netfilter_capabilities(). This will be used by the backend to query the caps on invocation, and then later to check the caps when setting up the limit rules.

The branch I just added has preliminary support. I need to add test cases, etc to it and this will be fixed in the next release of ufw. I'd like to see this in Ubuntu 12.04 too, so I will probably also create a new 0.31.2 with this functionality.

Adding rls-q-notfixing tag so it doesn't show up on the list. I do hope to fix it in 12.10 in my spare time, but not at the expense of other work.

Okay, so it's not as simple as simply checking the version of ip6tables or of the netfilter module... gotcha. :-)

As a side note, getting this pushed back into 12.04 would be greatly appreciated -- I (and I assume many other people) would prefer to keep their servers on an LTS release.

This is now implemented in trunk, with test cases.

Backported to 0.31.

Upstream 0.31.2 is now released.

This is now fixed in trunk and ufw 0.33.

This bug was fixed in the package ufw - 0.33-0ubuntu1

---------------
ufw (0.33-0ubuntu1) quantal; urgency=low

  * New upstream release. Fixes the following bugs:
    - also use correct ports for DHCPv6. Thanks to Marco Davids (LP: #1007326)
    - add IPv6 limit support (LP: #951462)
    - add zh_TW translation (LP: #868195)
    - add 'show added' report (LP: #987784)
    - remove ACCEPT_NO_TRACK option since it never worked (LP: #787955)
  * debian/(after|before)6.rules.md5sum: adjust for recently missed shipped
    configurations
 -- Jamie Strandboge <email address hidden> Fri, 17 Aug 2012 14:32:01 -0500

Can you backport this ipv6 limit support for ubuntu precise?