rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/firewalld-0.7-0004-ipXtables-support-RFC3964_IPv4-filtering.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   21c891623aedfc93c402340bdbb20138c7b6dcba
  2.   SOURCES
  3.   firewalld-0.7-0004-ipXtables-support-RFC3964_IPv4-filtering.patch
Blob History Raw
21c891 
From 9c0d0621440868e3ce0da36933c6aca53c4a2206 Mon Sep 17 00:00:00 2001
21c891 
From: Eric Garver <e@erig.me>
21c891 
Date: Thu, 20 Dec 2018 14:25:12 -0500
21c891 
Subject: [PATCH 4/8] ipXtables: support RFC3964_IPv4 filtering
21c891
21c891 
(cherry picked from commit b86206ed15908287b1e08882c62306f860a3b6b6)
21c891 
---
21c891 
 src/firewall/core/ipXtables.py | 24 ++++++++++++++++++++++++
21c891 
 1 file changed, 24 insertions(+)
21c891
21c891 
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
21c891 
index d7626df1b023..2d2d9f76d5c9 100644
21c891 
--- a/src/firewall/core/ipXtables.py
21c891 
+++ b/src/firewall/core/ipXtables.py
21c891 
@@ -1306,3 +1306,27 @@ class ip6tables(ip4tables):
21c891 
                        "--icmpv6-type=router-advertisement",
21c891 
                        "-j", "ACCEPT" ]) # RHBZ#1058505
21c891 
         return rules
21c891 
+
21c891 
+    def build_rfc3964_ipv4_rules(self):
21c891 
+        daddr_list = [
21c891 
+                     "::0.0.0.0/96", # IPv4 compatible
21c891 
+                     "::ffff:0.0.0.0/96", # IPv4 mapped
21c891 
+                     "2002:0000::/24", # 0.0.0.0/8 (the system has no address assigned yet)
21c891 
+                     "2002:0a00::/24", # 10.0.0.0/8 (private)
21c891 
+                     "2002:7f00::/24", # 127.0.0.0/8 (loopback)
21c891 
+                     "2002:ac10::/28", # 172.16.0.0/12 (private)
21c891 
+                     "2002:c0a8::/32", # 192.168.0.0/16 (private)
21c891 
+                     "2002:a9fe::/32", # 169.254.0.0/16 (IANA Assigned DHCP link-local)
21c891 
+                     "2002:e000::/19", # 224.0.0.0/4 (multicast), 240.0.0.0/4 (reserved and broadcast)
21c891 
+                     ]
21c891 
+
21c891 
+        rules = []
21c891 
+        for daddr in daddr_list:
21c891 
+            for chain in ["PREROUTING", "OUTPUT"]:
21c891 
+                rules.append(["-t", "raw", "-I", chain,
21c891 
+                              "-d", daddr, "-j", "DROP"])
21c891 
+                if self._fw._log_denied in ["unicast", "all"]:
21c891 
+                    rules.append(["-t", "raw", "-I", chain,
21c891 
+                                  "-d", daddr, "-j", "LOG",
21c891 
+                                  "--log-prefix", "\"RFC3964_IPv4_DROP: \""])
21c891 
+        return rules
21c891 
--
21c891 
2.18.0
21c891

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation