X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/45da078e5fc0936d3405377f8a978544913f9b05..38e85ca3b58ddcf50c7db608f5baa2fd19771f8a:/functions.m4

diff --git a/functions.m4 b/functions.m4
index 1cd0db5..765a94d 100644
--- a/functions.m4
+++ b/functions.m4
@@ -239,7 +239,8 @@ m4_divert(38)m4_dnl
 run ip6tables -N accept-non-init-frag
 run ip6tables -A accept-non-init-frag -j RETURN \
 	-m frag --fragfirst
-run ip6tables -A accept-non-init-frag -j ACCEPT
+run ip6tables -A accept-non-init-frag -j ACCEPT \
+	-m ipv6header --header frag
 
 m4_divert(20)m4_dnl
 ## allowservices CHAIN PROTO SERVICE ...
@@ -300,8 +301,11 @@ ntpclient () {
   ntpchain=$1; shift
 
   clearchain ntp-servers
-  for ntp; do run iptables -A ntp-servers -j ACCEPT -s $ntp; done
-  run iptables -A $ntpchain -j ntp-servers \
+  for ntp; do
+    case $ntp in *:*) ipt=ip6tables ;; *) ipt=iptables ;; esac
+    run $ipt -A ntp-servers -j ACCEPT -s $ntp;
+  done
+  run ip46tables -A $ntpchain -j ntp-servers \
 	  -p udp --source-port 123 --destination-port 123
 }
 
@@ -349,6 +353,50 @@ openports () {
   run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
 }
 
+bcp38_setup=:
+bcp38 () {
+  ipv=$1 ifname=$2; shift 2
+  ## Add rules for BCP38 egress filtering for IP version IPV (either 4 or 6).
+  ## IFNAME is the outgoing interface; the remaining arguments are network
+  ## prefixes.
+
+  ## Sort out which command we're using
+  case $ipv in
+    4) ipt=iptables ;;
+    6) ipt=ip6tables ;;
+    *) echo >&2 "Unknown IP version $ipv"; exit 1 ;;
+  esac
+
+  ## If we've not set up the error chain then do that.
+  case $bcp38_setup in
+    :)
+      errorchain bcp38 DROP
+      clearchain bcp38-check
+      ip46tables -A bcp38-check -g bcp38
+      ;;
+  esac
+
+  ## Stitch our egress filter into the outbound chains if we haven't done
+  ## that yet.  Do this for both IP versions: if we're only ever given
+  ## IPv6 addresses for a particular interface then we assume that IPv4
+  ## packets aren't allowed on it at all.
+  case $bcp38_setup in
+    *:$ifname:*) ;;
+    *)
+      run ip46tables -A OUTPUT -j bcp38-check -o $ifname
+      case $forward in
+	1) run ip46tables -A FORWARD -j bcp38-check -o $ifname ;;
+      esac
+      bcp38_setup=$bcp38_setup$ifname:
+      ;;
+  esac
+
+  ## Finally, add in our allowed networks.
+  for i in "$@"; do
+    run $ipt -I bcp38-check -j RETURN -s $i
+  done
+}
+
 m4_divert(20)m4_dnl
 ###--------------------------------------------------------------------------
 ### Packet classification.