From 261286113a59c518fa027d882e05b9101e869263 Mon Sep 17 00:00:00 2001
From: bbruns <bbruns@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Sat, 12 Feb 2011 20:41:43 +0000
Subject: [PATCH] IPv6 ICMP criticals

---
 ChangeLog          |  1 +
 bin/firewall-sosdg | 11 +++++++++++
 options.default    |  8 +++++++-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 12aad8a..72c7296 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 0.9.12 - Brielle Bruns <bruns@2mbit.com>
 	- Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
 	  block incoming to.
+	- Add support for allowing IPV6 critical ICMP messages, on by default
 
 0.9.11 - Brielle Bruns <bruns@2mbit.com>
 	- Move some of the config clutter to conf/ - you can
diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg
index 38fb2e3..4f2e2f3 100755
--- a/bin/firewall-sosdg
+++ b/bin/firewall-sosdg
@@ -817,6 +817,17 @@ fi
 			fi
 	fi
 	
+	if [ "$IPV6_ICMP_OPT" ]; then
+			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+			if [ "$IPV6_FORWARDRANGE" ]; then
+				$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+				$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+			fi
+	fi
+	
 	if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
 		display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
 		. "$BASEDIR/include/ipv6_custom_mssclamp"
diff --git a/options.default b/options.default
index 672fea4..6c47963 100755
--- a/options.default
+++ b/options.default
@@ -217,4 +217,10 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
 # Allow critical ICMP messages to go through, such as packet too big.
 # You should _really_ make sure you don't disable this if you have any
 # kind of MTU changes inside or outside your network.
-IPV6_ICMP_CRITICAL=1
\ No newline at end of file
+# Allows: time-exceeded packet-too-big
+IPV6_ICMP_CRITICAL=1
+
+# Allow other common IPV6 ICMP messages through the firewall.  Though not
+# really critical, these can help with general IPv6 usage/diagnostic
+# Allows: destination-unreachable parameter-problem
+#IPV6_ICMP_OPT=1
\ No newline at end of file