From 9c0d0621440868e3ce0da36933c6aca53c4a2206 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 20 Dec 2018 14:25:12 -0500
Subject: [PATCH 4/8] ipXtables: support RFC3964_IPv4 filtering
(cherry picked from commit b86206ed15908287b1e08882c62306f860a3b6b6)
---
src/firewall/core/ipXtables.py | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index d7626df1b023..2d2d9f76d5c9 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -1306,3 +1306,27 @@ class ip6tables(ip4tables):
"--icmpv6-type=router-advertisement",
"-j", "ACCEPT" ]) # RHBZ#1058505
return rules
+
+ def build_rfc3964_ipv4_rules(self):
+ daddr_list = [
+ "::0.0.0.0/96", # IPv4 compatible
+ "::ffff:0.0.0.0/96", # IPv4 mapped
+ "2002:0000::/24", # 0.0.0.0/8 (the system has no address assigned yet)
+ "2002:0a00::/24", # 10.0.0.0/8 (private)
+ "2002:7f00::/24", # 127.0.0.0/8 (loopback)
+ "2002:ac10::/28", # 172.16.0.0/12 (private)
+ "2002:c0a8::/32", # 192.168.0.0/16 (private)
+ "2002:a9fe::/32", # 169.254.0.0/16 (IANA Assigned DHCP link-local)
+ "2002:e000::/19", # 224.0.0.0/4 (multicast), 240.0.0.0/4 (reserved and broadcast)
+ ]
+
+ rules = []
+ for daddr in daddr_list:
+ for chain in ["PREROUTING", "OUTPUT"]:
+ rules.append(["-t", "raw", "-I", chain,
+ "-d", daddr, "-j", "DROP"])
+ if self._fw._log_denied in ["unicast", "all"]:
+ rules.append(["-t", "raw", "-I", chain,
+ "-d", daddr, "-j", "LOG",
+ "--log-prefix", "\"RFC3964_IPv4_DROP: \""])
+ return rules
--
2.18.0