functions.m4, local.m4: Workaround for option parser fragmentation bugs.

[firewall] / local.m4

diff --git a/local.m4 b/local.m4
index 4123a77..f6b5f46 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -58,39 +58,45 @@ m4_divert(60)m4_dnl
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
 
+## Only allow these packets if they're not fragmented.  (Don't trust safe
+## hosts's fragment reassembly to be robust against malicious fragments.)
+## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
+## `! -f', so we do the negation using early return from a subchain.
+clearchain fwd-spec-nofrag
+run iptables -A fwd-spec-nofrag -j RETURN --fragment
+run ip6tables -A fwd-spec-nofrag -j RETURN \
+       -m ipv6header --soft --header frag
+run iptables -A FORWARD -j fwd-spec-nofrag
+
 ## Allow ping from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
-       -p icmp ! -f --icmp-type echo-request \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+       -p icmp --icmp-type echo-request \
        -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
-       -p icmp ! -f --icmp-type echo-reply \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+       -p icmp --icmp-type echo-reply \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
        -p ipv6-icmp --icmpv6-type echo-request \
-       -m ipv6header --soft ! --header frag \
        -m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
        -p ipv6-icmp --icmpv6-type echo-reply \
-       -m ipv6header --soft ! --header frag \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
 
 ## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
-       -p tcp ! -f --destination-port $port_ssh \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+       -p tcp --destination-port $port_ssh \
        -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
-       -p tcp ! -f --source-port $port_ssh \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+       -p tcp --source-port $port_ssh \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
        -p tcp --destination-port $port_ssh \
-       -m ipv6header --soft ! --header frag \
        -m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
        -p tcp --source-port $port_ssh \
-       -m ipv6header --soft ! --header frag \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED