chiark / gitweb /
~mdw / firewall / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
functions.m4: Only call `allow-non-init-frag' on fragments.
[firewall] / functions.m4
diff --git a/functions.m4 b/functions.m4
index c0b90ed4b9f0ee3814aeb3c3c086fc7c6d7194dc..c8a08c449d780759b494ee9e025470563063c564 100644 (file)
--- a/functions.m4
+++ b/functions.m4
@@ -239,7 +239,8 @@ m4_divert(38)m4_dnl
 run ip6tables -N accept-non-init-frag
 run ip6tables -A accept-non-init-frag -j RETURN \
        -m frag --fragfirst
 run ip6tables -N accept-non-init-frag
 run ip6tables -A accept-non-init-frag -j RETURN \
        -m frag --fragfirst
-run ip6tables -A accept-non-init-frag -j ACCEPT
+run ip6tables -A accept-non-init-frag -j ACCEPT \
+       -m ipv6header --header frag
 
 m4_divert(20)m4_dnl
 ## allowservices CHAIN PROTO SERVICE ...
 
 m4_divert(20)m4_dnl
 ## allowservices CHAIN PROTO SERVICE ...
Firewall scripts for distorted.org.uk.