Blame SOURCES/firewalld-0.7-0003-nftables-support-RFC3964_IPv4-filtering.patch

21c891
From b0267902150824c1e0e6e626921181e461a101bd Mon Sep 17 00:00:00 2001
21c891
From: Eric Garver <e@erig.me>
21c891
Date: Wed, 19 Dec 2018 14:20:46 -0500
21c891
Subject: [PATCH 3/8] nftables: support RFC3964_IPv4 filtering
21c891
21c891
(cherry picked from commit 5afa02271418284ae95dc81304c7af65ff6e41ae)
21c891
---
21c891
 src/firewall/core/nftables.py | 27 ++++++++++++++++++++++++++-
21c891
 1 file changed, 26 insertions(+), 1 deletion(-)
21c891
21c891
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
21c891
index 72f2180ec504..1d0ce24d68a2 100644
21c891
--- a/src/firewall/core/nftables.py
21c891
+++ b/src/firewall/core/nftables.py
21c891
@@ -54,7 +54,7 @@ IPTABLES_TO_NFT_HOOK = {
21c891
     #},
21c891
     "raw": {
21c891
         "PREROUTING": ("prerouting", -300 + NFT_HOOK_OFFSET),
21c891
-    #    "OUTPUT": ("output", -300 + NFT_HOOK_OFFSET),
21c891
+        "OUTPUT": ("output", -300 + NFT_HOOK_OFFSET),
21c891
     },
21c891
     "mangle": {
21c891
         "PREROUTING": ("prerouting", -150 + NFT_HOOK_OFFSET),
21c891
@@ -412,6 +412,7 @@ class nftables(object):
21c891
                                   IPTABLES_TO_NFT_HOOK["raw"][chain][0],
21c891
                                   IPTABLES_TO_NFT_HOOK["raw"][chain][1]))
21c891
 
21c891
+        for chain in ["PREROUTING"]:
21c891
             default_rules.append("add chain inet %s raw_%s_ZONES_SOURCE" % (TABLE_NAME, chain))
21c891
             default_rules.append("add chain inet %s raw_%s_ZONES" % (TABLE_NAME, chain))
21c891
             default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES_SOURCE" % (TABLE_NAME, chain, chain))
21c891
@@ -1245,6 +1246,30 @@ class nftables(object):
21c891
                       "accept"]) # RHBZ#1058505, RHBZ#1575431 (bug in kernel 4.16-4.17)
21c891
         return rules
21c891
 
21c891
+    def build_rfc3964_ipv4_rules(self):
21c891
+        daddr_set = ["{",
21c891
+                     "::0.0.0.0/96,", # IPv4 compatible
21c891
+                     "::ffff:0.0.0.0/96,", # IPv4 mapped
21c891
+                     "2002:0000::/24,", # 0.0.0.0/8 (the system has no address assigned yet)
21c891
+                     "2002:0a00::/24,", # 10.0.0.0/8 (private)
21c891
+                     "2002:7f00::/24,", # 127.0.0.0/8 (loopback)
21c891
+                     "2002:ac10::/28,", # 172.16.0.0/12 (private)
21c891
+                     "2002:c0a8::/32,", # 192.168.0.0/16 (private)
21c891
+                     "2002:a9fe::/32,", # 169.254.0.0/16 (IANA Assigned DHCP link-local)
21c891
+                     "2002:e000::/19,", # 224.0.0.0/4 (multicast), 240.0.0.0/4 (reserved and broadcast)
21c891
+                     "}"]
21c891
+
21c891
+        rule_fragment = ["ip6", "daddr"] + daddr_set
21c891
+        if self._fw._log_denied in ["unicast", "all"]:
21c891
+            rule_fragment += ["log", "prefix", "\"RFC3964_IPv4_DROP: \""]
21c891
+        rule_fragment += ["drop"]
21c891
+
21c891
+        rules = []
21c891
+        for chain in ["PREROUTING", "OUTPUT"]:
21c891
+            rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME,
21c891
+                          "raw_%s" % chain] + rule_fragment)
21c891
+        return rules
21c891
+
21c891
     def build_zone_rich_source_destination_rules(self, enable, zone, rich_rule):
21c891
         table = "filter"
21c891
         target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
21c891
-- 
21c891
2.18.0
21c891