functions.m4, local.m4: Workaround for option parser fragmentation bugs.

[firewall] / functions.m4

diff --git a/functions.m4 b/functions.m4
index 523c42a..0e57ffa 100644 (file)
--- a/functions.m4
+++ b/functions.m4
@@ -50,6 +50,10 @@ defport () {
   eval port_$name=$number
 }
 
+m4_divert(38)m4_dnl
+###--------------------------------------------------------------------------
+### Utility chains (used by function definitions).
+
 m4_divert(22)m4_dnl
 ###--------------------------------------------------------------------------
 ### Basic chain constructions.
@@ -144,15 +148,24 @@ commonrules () {
 
   ## Pass fragments through, assuming that the eventual destination will sort
   ## things out properly.  Except for TCP, that is, which should never be
-  ## fragmented.
+  ## fragmented.  This is an extra pain for ip6tables, which doesn't provide
+  ## a pleasant way to detect non-initial fragments.
   run iptables -A $chain -p tcp -f -g tcp-fragment
   run iptables -A $chain -f -j ACCEPT
   run ip6tables -A $chain -p tcp -g tcp-fragment \
          -m ipv6header --soft --header frag
-  run ip6tables -A $chain -j ACCEPT \
-         -m frag ! --fragfirst
+  run ip6tables -A $chain -j accept-non-init-frag
 }
 
+m4_divert(38)m4_dnl
+## Accept a non-initial fragment.  This is only needed by IPv6, to work
+## around a deficiency in the option parser.
+run ip6tables -N accept-non-init-frag
+run ip6tables -A accept-non-init-frag -j RETURN \
+       -m frag --fragfirst
+run ip6tables -A accept-non-init-frag -j ACCEPT
+
+m4_divert(26)m4_dnl
 ## allowservices CHAIN PROTO SERVICE ...
 ##
 ## Add rules to allow the SERVICES on the CHAIN.