eval port_$name=$number
}
+m4_divert(38)m4_dnl
+###--------------------------------------------------------------------------
+### Utility chains (used by function definitions).
+
m4_divert(22)m4_dnl
###--------------------------------------------------------------------------
### Basic chain constructions.
## Pass fragments through, assuming that the eventual destination will sort
## things out properly. Except for TCP, that is, which should never be
- ## fragmented.
+ ## fragmented. This is an extra pain for ip6tables, which doesn't provide
+ ## a pleasant way to detect non-initial fragments.
run iptables -A $chain -p tcp -f -g tcp-fragment
run iptables -A $chain -f -j ACCEPT
run ip6tables -A $chain -p tcp -g tcp-fragment \
-m ipv6header --soft --header frag
- run ip6tables -A $chain -j ACCEPT \
- -m frag ! --fragfirst
+ run ip6tables -A $chain -j accept-non-init-frag
}
+m4_divert(38)m4_dnl
+## Accept a non-initial fragment. This is only needed by IPv6, to work
+## around a deficiency in the option parser.
+run ip6tables -N accept-non-init-frag
+run ip6tables -A accept-non-init-frag -j RETURN \
+ -m frag --fragfirst
+run ip6tables -A accept-non-init-frag -j ACCEPT
+
+m4_divert(26)m4_dnl
## allowservices CHAIN PROTO SERVICE ...
##
## Add rules to allow the SERVICES on the CHAIN.