Merge branch 'master' into emergency

[firewall] / local.m4

diff --git a/local.m4 b/local.m4
index 4385223..c479ed8 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -35,10 +35,12 @@ m4_divert(-1)
 
 ## Define the available network classes.
 m4_divert(42)m4_dnl
-defnetclass untrusted untrusted trusted
-defnetclass trusted untrusted trusted safe noloop
-defnetclass safe trusted safe noloop
-defnetclass noloop trusted safe
+defnetclass untrusted untrusted trusted mcast
+defnetclass trusted untrusted trusted safe noloop mcast
+defnetclass safe trusted safe noloop mcast
+defnetclass noloop trusted safe mcast
+defnetclass link
+defnetclass mcast
 m4_divert(-1)
 
 m4_divert(26)m4_dnl
@@ -162,7 +164,7 @@ case $forward in
     run iptables -A fwd-spec-nofrag -j RETURN --fragment
     run ip6tables -A fwd-spec-nofrag -j RETURN \
            -m ipv6header --soft --header frag
-    run iptables -A FORWARD -j fwd-spec-nofrag
+    run ip46tables -A FORWARD -j fwd-spec-nofrag
 
     ## Allow ping from safe/noloop to untrusted networks.
     run iptables -A fwd-spec-nofrag -j ACCEPT \
@@ -173,10 +175,10 @@ case $forward in
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED
     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-           -p ipv6-icmp --icmpv6-type echo-request \
+           -p icmpv6 --icmpv6-type echo-request \
            -m mark --mark $to_untrusted/$MASK_TO
     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-           -p ipv6-icmp --icmpv6-type echo-reply \
+           -p icmpv6 --icmpv6-type echo-reply \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED
 
@@ -237,22 +239,6 @@ run iptables -A inbound -j ACCEPT \
        -s 172.29.198.0/23 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps
 
-## Incoming multicast on a network interface associated with a trusted
-## network is OK, since it must have originated there (or been forwarded, but
-## we don't do that yet).
-seen=:-:
-for net in $allnets; do
-  eval class=\$net_class_$net
-  case $class in trusted) ;; *) continue ;; esac
-  for iface in $(net_interfaces FWHOST $net); do
-    case "$seen" in *:$iface:*) continue ;; esac
-    seen=$seen$iface:
-    run iptables -A inbound -j ACCEPT \
-       -s 0.0.0.0 -d 224.0.0.0/24 \
-       -i $iface
-  done
-done
-
 ## Allow incoming ping.  This is the only ICMP left.
 run ip46tables -A inbound -j ACCEPT -p icmp
 
@@ -265,12 +251,9 @@ run ip46tables -A inbound -j forbidden
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
 ## Otherwise process as indicated by the mark.
-run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-case $forward in
-  1)
-    run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-    ;;
-esac
+for i in $inchains; do
+  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+done
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------