From e387abcc0f63b83a407c720a99f4d5ea787186d6 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Thu, 20 Dec 2018 15:34:36 -0500 Subject: [PATCH 17/23] ipXtables: simplify rpfilter rule generation Don't bother specifying indexes. Just insert them in the correct order. (cherry picked from commit e93b1c1801ce2b8a71e433d90f095a7693e9a2a7) --- src/firewall/core/ipXtables.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py index b98ba5228e68..2bd8cc20dc7b 100644 --- a/src/firewall/core/ipXtables.py +++ b/src/firewall/core/ipXtables.py @@ -1132,19 +1132,19 @@ class ip6tables(ip4tables): def build_rpfilter_rules(self, log_denied=False): rules = [] - rules.append([ "-I", "PREROUTING", "1", "-t", "raw", + rules.append([ "-I", "PREROUTING", "-t", "raw", + "-m", "rpfilter", "--invert", "-j", "DROP" ]) + if log_denied != "off": + rules.append([ "-I", "PREROUTING", "-t", "raw", + "-m", "rpfilter", "--invert", + "-j", "LOG", + "--log-prefix", "rpfilter_DROP: " ]) + rules.append([ "-I", "PREROUTING", "-t", "raw", "-p", "ipv6-icmp", "--icmpv6-type=neighbour-solicitation", "-j", "ACCEPT" ]) # RHBZ#1575431, kernel bug in 4.16-4.17 - rules.append([ "-I", "PREROUTING", "2", "-t", "raw", + rules.append([ "-I", "PREROUTING", "-t", "raw", "-p", "ipv6-icmp", "--icmpv6-type=router-advertisement", "-j", "ACCEPT" ]) # RHBZ#1058505 - rules.append([ "-I", "PREROUTING", "3", "-t", "raw", - "-m", "rpfilter", "--invert", "-j", "DROP" ]) - if log_denied != "off": - rules.append([ "-I", "PREROUTING", "3", "-t", "raw", - "-m", "rpfilter", "--invert", - "-j", "LOG", - "--log-prefix", "rpfilter_DROP: " ]) return rules -- 2.20.1