X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/17a45245166c336172d7843e70a089f6e70e0b90..4aa2b49cc41cd34e1fc54858ca26c190d5b925cc:/functions.m4

diff --git a/functions.m4 b/functions.m4
index 3cd570d..c0b90ed 100644
--- a/functions.m4
+++ b/functions.m4
@@ -109,11 +109,19 @@ clearchain () {
 makeset () {
   set -e
   name=$1; shift
-  if ipset -nL | grep -q "^Name: $name$"; then
-    :
-  else
-    ipset -N "$name" "$@"
-  fi
+  v=$(ipset --version)
+  createp=t
+  case "$v" in
+    "ipset v4"*)
+      if ipset -nL | grep -q "^Name: $name\$"; then createp=nil; fi
+      ;;
+    *)
+      if ipset -n -L | grep -q "^$name\$"; then createp=nil; fi
+      ;;
+  esac
+  case $createp in
+    t) ipset -N "$name" "$@" ;;
+  esac
 }
 
 ## errorchain CHAIN ACTION ARGS ...
@@ -341,6 +349,50 @@ openports () {
   run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
 }
 
+bcp38_setup=:
+bcp38 () {
+  ipv=$1 ifname=$2; shift 2
+  ## Add rules for BCP38 egress filtering for IP version IPV (either 4 or 6).
+  ## IFNAME is the outgoing interface; the remaining arguments are network
+  ## prefixes.
+
+  ## Sort out which command we're using
+  case $ipv in
+    4) ipt=iptables ;;
+    6) ipt=ip6tables ;;
+    *) echo >&2 "Unknown IP version $ipv"; exit 1 ;;
+  esac
+
+  ## If we've not set up the error chain then do that.
+  case $bcp38_setup in
+    :)
+      errorchain bcp38 DROP
+      clearchain bcp38-check
+      ip46tables -A bcp38-check -g bcp38
+      ;;
+  esac
+
+  ## Stitch our egress filter into the outbound chains if we haven't done
+  ## that yet.  Do this for both IP versions: if we're only ever given
+  ## IPv6 addresses for a particular interface then we assume that IPv4
+  ## packets aren't allowed on it at all.
+  case $bcp38_setup in
+    *:$ifname:*) ;;
+    *)
+      run ip46tables -A OUTPUT -j bcp38-check -o $ifname
+      case $forward in
+	1) run ip46tables -A FORWARD -j bcp38-check -o $ifname ;;
+      esac
+      bcp38_setup=$bcp38_setup$ifname:
+      ;;
+  esac
+
+  ## Finally, add in our allowed networks.
+  for i in "$@"; do
+    run $ipt -I bcp38-check -j RETURN -s $i
+  done
+}
+
 m4_divert(20)m4_dnl
 ###--------------------------------------------------------------------------
 ### Packet classification.