From: Mark Wooding <mdw@distorted.org.uk>
Date: Thu, 26 Mar 2015 21:57:00 +0000 (+0000)
Subject: functions.m4: Only call `allow-non-init-frag' on fragments.
X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/3596231a92081cbe4fb32c474d6e6554fdc6c457

functions.m4: Only call `allow-non-init-frag' on fragments.

Otherwise we let in all non-fragmented packets.  Oops.
---

diff --git a/functions.m4 b/functions.m4
index c0b90ed..c8a08c4 100644
--- a/functions.m4
+++ b/functions.m4
@@ -239,7 +239,8 @@ m4_divert(38)m4_dnl
 run ip6tables -N accept-non-init-frag
 run ip6tables -A accept-non-init-frag -j RETURN \
 	-m frag --fragfirst
-run ip6tables -A accept-non-init-frag -j ACCEPT
+run ip6tables -A accept-non-init-frag -j ACCEPT \
+	-m ipv6header --header frag
 
 m4_divert(20)m4_dnl
 ## allowservices CHAIN PROTO SERVICE ...