From 3596231a92081cbe4fb32c474d6e6554fdc6c457 Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Thu, 26 Mar 2015 21:57:00 +0000
Subject: [PATCH] functions.m4: Only call `allow-non-init-frag' on fragments.

Otherwise we let in all non-fragmented packets.  Oops.
---
 functions.m4 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/functions.m4 b/functions.m4
index c0b90ed..c8a08c4 100644
--- a/functions.m4
+++ b/functions.m4
@@ -239,7 +239,8 @@ m4_divert(38)m4_dnl
 run ip6tables -N accept-non-init-frag
 run ip6tables -A accept-non-init-frag -j RETURN \
 	-m frag --fragfirst
-run ip6tables -A accept-non-init-frag -j ACCEPT
+run ip6tables -A accept-non-init-frag -j ACCEPT \
+	-m ipv6header --header frag
 
 m4_divert(20)m4_dnl
 ## allowservices CHAIN PROTO SERVICE ...
-- 
2.11.0