From c70bfbbb00e967323531c7c21ec7db08531be988 Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Sun, 10 Jul 2011 21:19:47 +0100
Subject: [PATCH] functions.m4, local.m4: Workaround for option parser
 fragmentation bugs.

There are some nasty option parser bugs in iptables 1.4.11.1.  Most
obviously, it refuses to accept `! -f' even though it always used to
work.  (This is Debian #632695.)  Secondly, it sees that ip6tables has
stopped accepting `! --fragfirst'.  I'm not sure this is unintentional,
though it's certainly annoying.

Work around both of these problems by introducing additional chains.
That is, we replace

	iptables -A chain -j action ! --test

by

	iptables -A newchain -j RETURN --test
	iptables -A newchain -j action
	iptables -A chain -j newchain

which is rather unpleasant, really.
---
 base.m4      |  1 +
 functions.m4 | 19 ++++++++++++++++---
 local.m4     | 38 ++++++++++++++++++++++----------------
 3 files changed, 39 insertions(+), 19 deletions(-)

diff --git a/base.m4 b/base.m4
index 7f90914..5170531 100644
--- a/base.m4
+++ b/base.m4
@@ -38,6 +38,7 @@ m4_changecom(<:##:>)
 ### 32	  Set safe IP options.					[bookends]
 ### 34	  Error chains.						[bookends]
 ### 36	  Give loopback traffic a free pass.			[bookends]
+### 38	  Utility chains.					[functions]
 ### 40	Address classification.					[classify]
 ### 42	  Definition of address class policies.			[local]
 ### 44	  Definition of interfaces and addresses.		[local]
diff --git a/functions.m4 b/functions.m4
index 523c42a..0e57ffa 100644
--- a/functions.m4
+++ b/functions.m4
@@ -50,6 +50,10 @@ defport () {
   eval port_$name=$number
 }
 
+m4_divert(38)m4_dnl
+###--------------------------------------------------------------------------
+### Utility chains (used by function definitions).
+
 m4_divert(22)m4_dnl
 ###--------------------------------------------------------------------------
 ### Basic chain constructions.
@@ -144,15 +148,24 @@ commonrules () {
 
   ## Pass fragments through, assuming that the eventual destination will sort
   ## things out properly.  Except for TCP, that is, which should never be
-  ## fragmented.
+  ## fragmented.  This is an extra pain for ip6tables, which doesn't provide
+  ## a pleasant way to detect non-initial fragments.
   run iptables -A $chain -p tcp -f -g tcp-fragment
   run iptables -A $chain -f -j ACCEPT
   run ip6tables -A $chain -p tcp -g tcp-fragment \
 	  -m ipv6header --soft --header frag
-  run ip6tables -A $chain -j ACCEPT \
-	  -m frag ! --fragfirst
+  run ip6tables -A $chain -j accept-non-init-frag
 }
 
+m4_divert(38)m4_dnl
+## Accept a non-initial fragment.  This is only needed by IPv6, to work
+## around a deficiency in the option parser.
+run ip6tables -N accept-non-init-frag
+run ip6tables -A accept-non-init-frag -j RETURN \
+	-m frag --fragfirst
+run ip6tables -A accept-non-init-frag -j ACCEPT
+
+m4_divert(26)m4_dnl
 ## allowservices CHAIN PROTO SERVICE ...
 ##
 ## Add rules to allow the SERVICES on the CHAIN.
diff --git a/local.m4 b/local.m4
index 4123a77..f6b5f46 100644
--- a/local.m4
+++ b/local.m4
@@ -58,39 +58,45 @@ m4_divert(60)m4_dnl
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
 
+## Only allow these packets if they're not fragmented.  (Don't trust safe
+## hosts's fragment reassembly to be robust against malicious fragments.)
+## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
+## `! -f', so we do the negation using early return from a subchain.
+clearchain fwd-spec-nofrag
+run iptables -A fwd-spec-nofrag -j RETURN --fragment
+run ip6tables -A fwd-spec-nofrag -j RETURN \
+	-m ipv6header --soft --header frag
+run iptables -A FORWARD -j fwd-spec-nofrag
+
 ## Allow ping from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
-	-p icmp ! -f --icmp-type echo-request \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+	-p icmp --icmp-type echo-request \
 	-m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
-	-p icmp ! -f --icmp-type echo-reply \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+	-p icmp --icmp-type echo-reply \
 	-m mark --mark $from_untrusted/$MASK_FROM \
 	-m state --state ESTABLISHED
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 	-p ipv6-icmp --icmpv6-type echo-request \
-	-m ipv6header --soft ! --header frag \
 	-m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 	-p ipv6-icmp --icmpv6-type echo-reply \
-	-m ipv6header --soft ! --header frag \
 	-m mark --mark $from_untrusted/$MASK_FROM \
 	-m state --state ESTABLISHED
 
 ## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
-	-p tcp ! -f --destination-port $port_ssh \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+	-p tcp --destination-port $port_ssh \
 	-m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
-	-p tcp ! -f --source-port $port_ssh \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+	-p tcp --source-port $port_ssh \
 	-m mark --mark $from_untrusted/$MASK_FROM \
 	-m state --state ESTABLISHED
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 	-p tcp --destination-port $port_ssh \
-	-m ipv6header --soft ! --header frag \
 	-m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 	-p tcp --source-port $port_ssh \
-	-m ipv6header --soft ! --header frag \
 	-m mark --mark $from_untrusted/$MASK_FROM \
 	-m state --state ESTABLISHED
 
-- 
2.11.0