## Define the available network classes.
m4_divert(42)m4_dnl
-defnetclass untrusted untrusted trusted
-defnetclass trusted untrusted trusted safe noloop
-defnetclass safe trusted safe noloop
-defnetclass noloop trusted safe
+defnetclass untrusted untrusted trusted mcast
+defnetclass trusted untrusted trusted safe noloop mcast
+defnetclass safe trusted safe noloop mcast
+defnetclass noloop trusted safe mcast
+defnetclass link
+defnetclass mcast
m4_divert(-1)
m4_divert(26)m4_dnl
run iptables -A fwd-spec-nofrag -j RETURN --fragment
run ip6tables -A fwd-spec-nofrag -j RETURN \
-m ipv6header --soft --header frag
- run iptables -A FORWARD -j fwd-spec-nofrag
+ run ip46tables -A FORWARD -j fwd-spec-nofrag
## Allow ping from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-request \
+ -p icmpv6 --icmpv6-type echo-request \
-m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-reply \
+ -p icmpv6 --icmpv6-type echo-reply \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
-s 172.29.198.0/23 \
-p udp --source-port $port_bootpc --destination-port $port_bootps
-## Incoming multicast on a network interface associated with a trusted
-## network is OK, since it must have originated there (or been forwarded, but
-## we don't do that yet).
-seen=:-:
-for net in $allnets; do
- eval class=\$net_class_$net
- case $class in trusted) ;; *) continue ;; esac
- for iface in $(net_interfaces FWHOST $net); do
- case "$seen" in *:$iface:*) continue ;; esac
- seen=$seen$iface:
- run iptables -A inbound -j ACCEPT \
- -s 0.0.0.0 -d 224.0.0.0/24 \
- -i $iface
- done
-done
-
## Allow incoming ping. This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Otherwise process as indicated by the mark.
-run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-case $forward in
- 1)
- run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
- ;;
-esac
+for i in $inchains; do
+ run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+done
m4_divert(-1)
###----- That's all, folks --------------------------------------------------