local.m4: A new network for the SGO VPN.

[firewall] / bookends.m4

diff --git a/bookends.m4 b/bookends.m4
index 6caad93..f451c8d 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -38,6 +38,8 @@ preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains"
 ## Take the various IP versions in turn.
 unref=nil
 for ip in ip ip6; do
+  if [ "$FW_NOACT" ]; then break; fi
+
   for table in $(cat /proc/net/${ip}_tables_names); do
 
     ## Step 1: clear out the builtin chains.
@@ -111,6 +113,10 @@ case $host_type_<::>FWHOST in
 esac
 setopt ip_forward $forward
 setdevopt forwarding $forward
+case $forward in
+  0) inchains="INPUT" ;;
+  1) inchains="INPUT FORWARD" ;;
+esac
 
 ## Set dynamic port allocation.
 setopt ip_local_port_range $open_port_min $open_port_max
@@ -207,10 +213,12 @@ case $forward in
            -m addrtype --dst-type BROADCAST
     run iptables -A FORWARD -g bad-destination-address \
            -d 224.0.0.0/24
+    clearchain check-fwd-multi
     for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
-      run ip6tables -A FORWARD -g bad-destination-address \
-           -d fe${x}2::/16
+      run ip6tables -A check-fwd-multi -g bad-destination-address \
+           -d ff${x}2::/16
     done
+    run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
     ;;
 esac
 
@@ -243,5 +251,17 @@ for ip in ip ip6; do
   done
 done
 
+## Dump the resulting configuration.
+if [ "$FW_DEBUG" ]; then
+  for ip in ip ip6; do
+    for table in mangle filter; do
+      echo "----- $ip $table -----"
+      echo
+      ${ip}tables -t $table -nvL
+      echo
+    done
+  done
+fi
+
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------