From 9c0d0621440868e3ce0da36933c6aca53c4a2206 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Thu, 20 Dec 2018 14:25:12 -0500 Subject: [PATCH 4/8] ipXtables: support RFC3964_IPv4 filtering (cherry picked from commit b86206ed15908287b1e08882c62306f860a3b6b6) --- src/firewall/core/ipXtables.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py index d7626df1b023..2d2d9f76d5c9 100644 --- a/src/firewall/core/ipXtables.py +++ b/src/firewall/core/ipXtables.py @@ -1306,3 +1306,27 @@ class ip6tables(ip4tables): "--icmpv6-type=router-advertisement", "-j", "ACCEPT" ]) # RHBZ#1058505 return rules + + def build_rfc3964_ipv4_rules(self): + daddr_list = [ + "::0.0.0.0/96", # IPv4 compatible + "::ffff:0.0.0.0/96", # IPv4 mapped + "2002:0000::/24", # 0.0.0.0/8 (the system has no address assigned yet) + "2002:0a00::/24", # 10.0.0.0/8 (private) + "2002:7f00::/24", # 127.0.0.0/8 (loopback) + "2002:ac10::/28", # 172.16.0.0/12 (private) + "2002:c0a8::/32", # 192.168.0.0/16 (private) + "2002:a9fe::/32", # 169.254.0.0/16 (IANA Assigned DHCP link-local) + "2002:e000::/19", # 224.0.0.0/4 (multicast), 240.0.0.0/4 (reserved and broadcast) + ] + + rules = [] + for daddr in daddr_list: + for chain in ["PREROUTING", "OUTPUT"]: + rules.append(["-t", "raw", "-I", chain, + "-d", daddr, "-j", "DROP"]) + if self._fw._log_denied in ["unicast", "all"]: + rules.append(["-t", "raw", "-I", chain, + "-d", daddr, "-j", "LOG", + "--log-prefix", "\"RFC3964_IPv4_DROP: \""]) + return rules -- 2.18.0