run ip6tables -N accept-non-init-frag
run ip6tables -A accept-non-init-frag -j RETURN \
-m frag --fragfirst
-run ip6tables -A accept-non-init-frag -j ACCEPT
+run ip6tables -A accept-non-init-frag -j ACCEPT \
+ -m ipv6header --header frag
m4_divert(20)m4_dnl
## allowservices CHAIN PROTO SERVICE ...
ntpchain=$1; shift
clearchain ntp-servers
- for ntp; do run iptables -A ntp-servers -j ACCEPT -s $ntp; done
- run iptables -A $ntpchain -j ntp-servers \
+ for ntp; do
+ case $ntp in *:*) ipt=ip6tables ;; *) ipt=iptables ;; esac
+ run $ipt -A ntp-servers -j ACCEPT -s $ntp;
+ done
+ run ip46tables -A $ntpchain -j ntp-servers \
-p udp --source-port 123 --destination-port 123
}
run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
}
+bcp38_setup=:
+bcp38 () {
+ ipv=$1 ifname=$2; shift 2
+ ## Add rules for BCP38 egress filtering for IP version IPV (either 4 or 6).
+ ## IFNAME is the outgoing interface; the remaining arguments are network
+ ## prefixes.
+
+ ## Sort out which command we're using
+ case $ipv in
+ 4) ipt=iptables ;;
+ 6) ipt=ip6tables ;;
+ *) echo >&2 "Unknown IP version $ipv"; exit 1 ;;
+ esac
+
+ ## If we've not set up the error chain then do that.
+ case $bcp38_setup in
+ :)
+ errorchain bcp38 DROP
+ clearchain bcp38-check
+ ip46tables -A bcp38-check -g bcp38
+ ;;
+ esac
+
+ ## Stitch our egress filter into the outbound chains if we haven't done
+ ## that yet. Do this for both IP versions: if we're only ever given
+ ## IPv6 addresses for a particular interface then we assume that IPv4
+ ## packets aren't allowed on it at all.
+ case $bcp38_setup in
+ *:$ifname:*) ;;
+ *)
+ run ip46tables -A OUTPUT -j bcp38-check -o $ifname
+ case $forward in
+ 1) run ip46tables -A FORWARD -j bcp38-check -o $ifname ;;
+ esac
+ bcp38_setup=$bcp38_setup$ifname:
+ ;;
+ esac
+
+ ## Finally, add in our allowed networks.
+ for i in "$@"; do
+ run $ipt -I bcp38-check -j RETURN -s $i
+ done
+}
+
m4_divert(20)m4_dnl
###--------------------------------------------------------------------------
### Packet classification.