|
|
21c891 |
From b0267902150824c1e0e6e626921181e461a101bd Mon Sep 17 00:00:00 2001
|
|
|
21c891 |
From: Eric Garver <e@erig.me>
|
|
|
21c891 |
Date: Wed, 19 Dec 2018 14:20:46 -0500
|
|
|
21c891 |
Subject: [PATCH 3/8] nftables: support RFC3964_IPv4 filtering
|
|
|
21c891 |
|
|
|
21c891 |
(cherry picked from commit 5afa02271418284ae95dc81304c7af65ff6e41ae)
|
|
|
21c891 |
---
|
|
|
21c891 |
src/firewall/core/nftables.py | 27 ++++++++++++++++++++++++++-
|
|
|
21c891 |
1 file changed, 26 insertions(+), 1 deletion(-)
|
|
|
21c891 |
|
|
|
21c891 |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
21c891 |
index 72f2180ec504..1d0ce24d68a2 100644
|
|
|
21c891 |
--- a/src/firewall/core/nftables.py
|
|
|
21c891 |
+++ b/src/firewall/core/nftables.py
|
|
|
21c891 |
@@ -54,7 +54,7 @@ IPTABLES_TO_NFT_HOOK = {
|
|
|
21c891 |
#},
|
|
|
21c891 |
"raw": {
|
|
|
21c891 |
"PREROUTING": ("prerouting", -300 + NFT_HOOK_OFFSET),
|
|
|
21c891 |
- # "OUTPUT": ("output", -300 + NFT_HOOK_OFFSET),
|
|
|
21c891 |
+ "OUTPUT": ("output", -300 + NFT_HOOK_OFFSET),
|
|
|
21c891 |
},
|
|
|
21c891 |
"mangle": {
|
|
|
21c891 |
"PREROUTING": ("prerouting", -150 + NFT_HOOK_OFFSET),
|
|
|
21c891 |
@@ -412,6 +412,7 @@ class nftables(object):
|
|
|
21c891 |
IPTABLES_TO_NFT_HOOK["raw"][chain][0],
|
|
|
21c891 |
IPTABLES_TO_NFT_HOOK["raw"][chain][1]))
|
|
|
21c891 |
|
|
|
21c891 |
+ for chain in ["PREROUTING"]:
|
|
|
21c891 |
default_rules.append("add chain inet %s raw_%s_ZONES_SOURCE" % (TABLE_NAME, chain))
|
|
|
21c891 |
default_rules.append("add chain inet %s raw_%s_ZONES" % (TABLE_NAME, chain))
|
|
|
21c891 |
default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES_SOURCE" % (TABLE_NAME, chain, chain))
|
|
|
21c891 |
@@ -1245,6 +1246,30 @@ class nftables(object):
|
|
|
21c891 |
"accept"]) # RHBZ#1058505, RHBZ#1575431 (bug in kernel 4.16-4.17)
|
|
|
21c891 |
return rules
|
|
|
21c891 |
|
|
|
21c891 |
+ def build_rfc3964_ipv4_rules(self):
|
|
|
21c891 |
+ daddr_set = ["{",
|
|
|
21c891 |
+ "::0.0.0.0/96,", # IPv4 compatible
|
|
|
21c891 |
+ "::ffff:0.0.0.0/96,", # IPv4 mapped
|
|
|
21c891 |
+ "2002:0000::/24,", # 0.0.0.0/8 (the system has no address assigned yet)
|
|
|
21c891 |
+ "2002:0a00::/24,", # 10.0.0.0/8 (private)
|
|
|
21c891 |
+ "2002:7f00::/24,", # 127.0.0.0/8 (loopback)
|
|
|
21c891 |
+ "2002:ac10::/28,", # 172.16.0.0/12 (private)
|
|
|
21c891 |
+ "2002:c0a8::/32,", # 192.168.0.0/16 (private)
|
|
|
21c891 |
+ "2002:a9fe::/32,", # 169.254.0.0/16 (IANA Assigned DHCP link-local)
|
|
|
21c891 |
+ "2002:e000::/19,", # 224.0.0.0/4 (multicast), 240.0.0.0/4 (reserved and broadcast)
|
|
|
21c891 |
+ "}"]
|
|
|
21c891 |
+
|
|
|
21c891 |
+ rule_fragment = ["ip6", "daddr"] + daddr_set
|
|
|
21c891 |
+ if self._fw._log_denied in ["unicast", "all"]:
|
|
|
21c891 |
+ rule_fragment += ["log", "prefix", "\"RFC3964_IPv4_DROP: \""]
|
|
|
21c891 |
+ rule_fragment += ["drop"]
|
|
|
21c891 |
+
|
|
|
21c891 |
+ rules = []
|
|
|
21c891 |
+ for chain in ["PREROUTING", "OUTPUT"]:
|
|
|
21c891 |
+ rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME,
|
|
|
21c891 |
+ "raw_%s" % chain] + rule_fragment)
|
|
|
21c891 |
+ return rules
|
|
|
21c891 |
+
|
|
|
21c891 |
def build_zone_rich_source_destination_rules(self, enable, zone, rich_rule):
|
|
|
21c891 |
table = "filter"
|
|
|
21c891 |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
|
|
|
21c891 |
--
|
|
|
21c891 |
2.18.0
|
|
|
21c891 |
|