~mdw / firewall / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b551ada) | patch
functions.m4, local.m4: Workaround for option parser fragmentation bugs.
authorMark Wooding <mdw@distorted.org.uk>
Sun, 10 Jul 2011 20:19:47 +0000 (21:19 +0100)
committerMark Wooding <mdw@distorted.org.uk>
Sun, 10 Jul 2011 21:06:02 +0000 (22:06 +0100)
commitc70bfbbb00e967323531c7c21ec7db08531be988
treef4c1bd90f3d900043ff84b305eaab8d2fccb2142tree | snapshot (tar.gz zip)
parentb551adaf68ad28b57d06295fe3eb32deb171f7b7commit | diff
functions.m4, local.m4: Workaround for option parser fragmentation bugs.

There are some nasty option parser bugs in iptables 1.4.11.1.  Most
obviously, it refuses to accept `! -f' even though it always used to
work.  (This is Debian #632695.)  Secondly, it sees that ip6tables has
stopped accepting `! --fragfirst'.  I'm not sure this is unintentional,
though it's certainly annoying.

Work around both of these problems by introducing additional chains.
That is, we replace

iptables -A chain -j action ! --test

by

iptables -A newchain -j RETURN --test
iptables -A newchain -j action
iptables -A chain -j newchain

which is rather unpleasant, really.
base.m4 diff | blob | blame | history
functions.m4 diff | blob | blame | history
local.m4 diff | blob | blame | history
Firewall scripts for distorted.org.uk.