Merge branch 'master' into emergency

* master:
  Overhaul address classification for link-local and non-unicast addresses.
  functions.m4: Publish the per-class forwarding bitmasks.
  functions.m4: The mark-{from,to}-* rules no longer own the packet marks.
  classify.m4: Use canonical forms for IPv6 addresses.
  local.m4: Actually use the IPv6 fragmentation forbidding filter.
  Extend proper ICMP handling to IPv6.
  bookends.m4: Optimize checking for forwarding IPv6 link-local multicast.
  vampire.m4: Extend services to untrusted hosts over IPv6.
  Introduce variable for expected input chains.

diff --combined local.m4
index 4385223,d084db4..c479ed8
--- 1/local.m4
--- 2/local.m4
+++ b/local.m4
@@@ -35,10 -35,12 +35,12 @@@ m4_divert(-1
  
  ## Define the available network classes.
  m4_divert(42)m4_dnl
- defnetclass untrusted untrusted trusted
- defnetclass trusted untrusted trusted safe noloop
- defnetclass safe trusted safe noloop
- defnetclass noloop trusted safe
+ defnetclass untrusted untrusted trusted mcast
+ defnetclass trusted untrusted trusted safe noloop mcast
+ defnetclass safe trusted safe noloop mcast
+ defnetclass noloop trusted safe mcast
+ defnetclass link
+ defnetclass mcast
  m4_divert(-1)
  
  m4_divert(26)m4_dnl
@@@ -90,14 -92,13 +92,14 @@@ defhost artis
        iface eth1 dmz unsafe
  defhost vampire
        router
 -      iface eth0.0 dmz unsafe safe
 -      iface eth0.1 dmz unsafe safe
 +      iface eth0.0 dmz unsafe safe default
 +      iface eth0.1 dmz unsafe safe default
        iface eth0.2 safe
 -      iface eth0.3 untrusted
 +      iface eth0.3 untrusted default
        iface dns0 dns
        iface vpn-+ vpn
        iface vpn-precision colobdry vpn
 +      iface t6-he default
  defhost ibanez
        iface br-dmz dmz unsafe
        iface br-unsafe unsafe
@@@ -162,7 -163,7 +164,7 @@@ case $forward i
      run iptables -A fwd-spec-nofrag -j RETURN --fragment
      run ip6tables -A fwd-spec-nofrag -j RETURN \
            -m ipv6header --soft --header frag
-     run iptables -A FORWARD -j fwd-spec-nofrag
+     run ip46tables -A FORWARD -j fwd-spec-nofrag
  
      ## Allow ping from safe/noloop to untrusted networks.
      run iptables -A fwd-spec-nofrag -j ACCEPT \
@@@ -173,10 -174,10 +175,10 @@@
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED
      run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-           -p ipv6-icmp --icmpv6-type echo-request \
+           -p icmpv6 --icmpv6-type echo-request \
            -m mark --mark $to_untrusted/$MASK_TO
      run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-           -p ipv6-icmp --icmpv6-type echo-reply \
+           -p icmpv6 --icmpv6-type echo-reply \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED
  
@@@ -237,22 -238,6 +239,6 @@@ run iptables -A inbound -j ACCEPT 
        -s 172.29.198.0/23 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps
  
- ## Incoming multicast on a network interface associated with a trusted
- ## network is OK, since it must have originated there (or been forwarded, but
- ## we don't do that yet).
- seen=:-:
- for net in $allnets; do
-   eval class=\$net_class_$net
-   case $class in trusted) ;; *) continue ;; esac
-   for iface in $(net_interfaces FWHOST $net); do
-     case "$seen" in *:$iface:*) continue ;; esac
-     seen=$seen$iface:
-     run iptables -A inbound -j ACCEPT \
-       -s 0.0.0.0 -d 224.0.0.0/24 \
-       -i $iface
-   done
- done
- 
  ## Allow incoming ping.  This is the only ICMP left.
  run ip46tables -A inbound -j ACCEPT -p icmp
  
@@@ -265,12 -250,9 +251,9 @@@ run ip46tables -A inbound -j forbidde
  run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
  
  ## Otherwise process as indicated by the mark.
- run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
- case $forward in
-   1)
-     run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-     ;;
- esac
+ for i in $inchains; do
+   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+ done
  
  m4_divert(-1)
  ###----- That's all, folks --------------------------------------------------

diff --combined vampire.m4
index 4e00a49,b3257c7..acd2008
--- 1/vampire.m4
--- 2/vampire.m4
+++ b/vampire.m4
@@@ -31,7 -31,6 +31,7 @@@ allowservices inbound tcp 
        dns iodine \
        ssh \
        smtp submission \
 +      rdesktop \
        gnutella_svc \
        ftp ftp_data \
        rsync \
@@@ -48,8 -47,8 +48,8 @@@ allowservices inbound udp 
  
  ## Extend some services to local untrusted hosts.
  clearchain inbound-untrusted
- run iptables -A inbound -j inbound-untrusted \
-       -s 172.29.198.0/24
+ run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted
+ run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted
  
  allowservices inbound-untrusted tcp \
        dns \
@@@ -71,38 -70,5 +71,38 @@@ run iptables -A OUTPUT -m multiport 
  dnsresolver inbound
  ntpclient inbound $ntp_servers
  
 +## IPv6 6-in-4 tunnel.
 +run iptables -A inbound -j ACCEPT \
 +          -p $proto_ipv6 -s 216.66.80.26
 +
 +## NAT for RFC1918 addresses.
 +for i in PREROUTING OUTPUT POSTROUTING; do
 +  run iptables -t nat -P $i ACCEPT 2>/dev/null || :
 +  run iptables -t nat -F $i 2>/dev/null || :
 +done
 +run iptables -t nat -F
 +run iptables -t nat -X
 +
 +run iptables -t nat -N outbound
 +run iptables -t nat -A outbound -j RETURN ! -o eth0.0
 +run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
 +run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
 +run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
 +run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
 +run iptables -t nat -A POSTROUTING -j outbound
 +
 +## Set up NAT protocol helpers.  In particular, SIP needs some special
 +## twiddling.
 +run modprobe nf_conntrack_sip \
 +  ports=5060 \
 +  sip_direct_signalling=0 \
 +  sip_direct_media=0
 +for p in ftp sip h323; do
 +  run modprobe nf_nat_$p
 +done
 +
 +## Forbid anything complicated to the NAT address.
 +run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT
 +
  m4_divert(-1)
  ###----- That's all, folks --------------------------------------------------