IPv6 ICMP criticals

13 years ago · 4b89a59d71
parent 192040ebf2
commit 4b89a59d71
3 changed files with 26 additions and 10 deletions
--- a/bin/firewall-sosdg
+++ b/bin/firewall-sosdg
@ -18,7 +18,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.

-FW_VERSION="0.9.11"
+FW_VERSION="0.9.12"

 # These option is here to help pre-1.0 users easily upgrade, defines critical defaults
 # that would otherwise require remaking their options file.  I leave this on by default,
@ -801,11 +801,28 @@ if [ "$IPV6_BLOCKEDIP" ]; then
 	done
 fi

+	if [ "$IPV6_ICMP_CRITICAL" ]; then
+			# This is necessary to make sure that PMTU works
+			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
+			-j ACCEPT
+			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
+			-j ACCEPT
+			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
+			-j ACCEPT
+			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
+			-j ACCEPT
+			if [ "$IPV6_FORWARDRANGE" ]; then
+				$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+				$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+			fi
+	fi
+	
 	if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
 		display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
 		. "$BASEDIR/include/ipv6_custom_mssclamp"
 	fi

+
 	if [ "$IPV6_CLAMPMSS" ]; then
 		display_c YELLOW "Clamping IPV6 MSS to PMTU..."
 		for i in $IPV6_CLAMPMSS; do
@ -815,15 +832,6 @@ fi
 			$IP6TABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \
 			-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
 			--mss 1280:1536
-			# This is necessary to make sure that PMTU works
-			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
-			-o $i -j ACCEPT
-			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
-			-i $i -j ACCEPT
-			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
-			-o $i -j ACCEPT
-			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
-			-i $i -j ACCEPT
 		done
 	fi

--- a/include/static
+++ b/include/static
@ -71,3 +71,6 @@ EXTIP="auto"
 EXTIF="eth0"
 EXTIF_FIND="$BASEDIR/bin/get_default_if"
 EXTIP_FIND="$BASEDIR/bin/get_default_ip"
+
+# By default, we allow ipv6 critical icmp
+IPV6_ICMP_CRITICAL=1
--- a/options.default
+++ b/options.default
@ -213,3 +213,8 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked

 # IPv6 range to forward
 #IPV6_FORWARDRANGE=""
+
+# Allow critical ICMP messages to go through, such as packet too big.
+# You should _really_ make sure you don't disable this if you have any
+# kind of MTU changes inside or outside your network.
+IPV6_ICMP_CRITICAL=1