From 4b89a59d7174c274ccfcc0433589fd358c98bddd Mon Sep 17 00:00:00 2001
From: bbruns <bbruns@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Sat, 12 Feb 2011 20:20:11 +0000
Subject: [PATCH] IPv6 ICMP criticals

---
 bin/firewall-sosdg | 28 ++++++++++++++++++----------
 include/static     |  3 +++
 options.default    |  5 +++++
 3 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg
index 499677a..38fb2e3 100755
--- a/bin/firewall-sosdg
+++ b/bin/firewall-sosdg
@@ -18,7 +18,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FW_VERSION="0.9.11"
+FW_VERSION="0.9.12"
 
 # These option is here to help pre-1.0 users easily upgrade, defines critical defaults
 # that would otherwise require remaking their options file.  I leave this on by default,
@@ -801,11 +801,28 @@ if [ "$IPV6_BLOCKEDIP" ]; then
 	done
 fi
 
+	if [ "$IPV6_ICMP_CRITICAL" ]; then
+			# This is necessary to make sure that PMTU works
+			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
+			-j ACCEPT
+			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
+			-j ACCEPT
+			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
+			-j ACCEPT
+			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
+			-j ACCEPT
+			if [ "$IPV6_FORWARDRANGE" ]; then
+				$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+				$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+			fi
+	fi
+	
 	if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
 		display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
 		. "$BASEDIR/include/ipv6_custom_mssclamp"
 	fi
 
+
 	if [ "$IPV6_CLAMPMSS" ]; then
 		display_c YELLOW "Clamping IPV6 MSS to PMTU..."
 		for i in $IPV6_CLAMPMSS; do
@@ -815,15 +832,6 @@ fi
 			$IP6TABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \
 			-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
 			--mss 1280:1536
-			# This is necessary to make sure that PMTU works
-			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
-			-o $i -j ACCEPT
-			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
-			-i $i -j ACCEPT
-			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
-			-o $i -j ACCEPT
-			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
-			-i $i -j ACCEPT
 		done
 	fi
 
diff --git a/include/static b/include/static
index 3c9030c..4e67458 100755
--- a/include/static
+++ b/include/static
@@ -71,3 +71,6 @@ EXTIP="auto"
 EXTIF="eth0"
 EXTIF_FIND="$BASEDIR/bin/get_default_if"
 EXTIP_FIND="$BASEDIR/bin/get_default_ip"
+
+# By default, we allow ipv6 critical icmp
+IPV6_ICMP_CRITICAL=1
diff --git a/options.default b/options.default
index 89e7f07..672fea4 100755
--- a/options.default
+++ b/options.default
@@ -213,3 +213,8 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
 
 # IPv6 range to forward
 #IPV6_FORWARDRANGE=""
+
+# Allow critical ICMP messages to go through, such as packet too big.
+# You should _really_ make sure you don't disable this if you have any
+# kind of MTU changes inside or outside your network.
+IPV6_ICMP_CRITICAL=1
\ No newline at end of file