X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/bfdc045deb6149808d309b4ac3c292d9c57a8b38..6f0a7bc1a8dec07b7768a1b6d8f592190c7e63d4:/functions.m4

diff --git a/functions.m4 b/functions.m4
index 66a83f3..85afc10 100644
--- a/functions.m4
+++ b/functions.m4
@@ -82,7 +82,7 @@ errorchain () {
   clearchain $table:$chain
   run iptables -t $table -A $chain -j LOG \
 	  -m limit --limit 3/minute --limit-burst 10 \
-	  --log-prefix "new fw: $chain " --log-level notice
+	  --log-prefix "fw: $chain " --log-level notice
   run iptables -t $table -A $chain -j "$@"
 }
 
@@ -126,6 +126,20 @@ conntrack () {
   run iptables -A $chain -p tcp ! --syn -g bad-tcp
 }
 
+## commonrules CHAIN
+##
+## Add standard IP filtering rules to the CHAIN.
+commonrules () {
+  set -e
+  chain=$1
+
+  ## Pass fragments through, assuming that the eventual destination will sort
+  ## things out properly.  Except for TCP, that is, which should never be
+  ## fragmented.
+  run iptables -A $chain -p tcp -f -g tcp-fragment
+  run iptables -A $chain -f -j ACCEPT
+}
+
 ## allowservices CHAIN PROTO SERVICE ...
 ##
 ## Add rules to allow the SERVICES on the CHAIN.