firewall: ipv6: Discard all packets with rounting header of type zero.

author Michael Tremer <michael.tremer@ipfire.org>

Tue, 30 Apr 2013 17:06:43 +0000 (19:06 +0200)

committer Michael Tremer <michael.tremer@ipfire.org>

Tue, 30 Apr 2013 17:06:43 +0000 (19:06 +0200)
author Michael Tremer <michael.tremer@ipfire.org>
Tue, 30 Apr 2013 17:06:43 +0000 (19:06 +0200)
committer Michael Tremer <michael.tremer@ipfire.org>
Tue, 30 Apr 2013 17:06:43 +0000 (19:06 +0200)
diff --git a/functions.firewall b/functions.firewall

index 40cb9326d515d408bb861bc5e7f927cf67e2a6a4..faeb5949d5c91275245fc6d31b8ed6b9f485cedc 100644 (file)
--- a/functions.firewall
+++ b/functions.firewall
@@ -53,6 +53,7 @@ function firewall_start() {
         iptables_init "${protocol}" "DROP"
  
         # Add default chains.
+       firewall_filter_rh0_headers "${protocol}"
         firewall_tcp_state_flags "${protocol}"
         firewall_custom_chains "${protocol}"
         firewall_connection_tracking "${protocol}"
@@ -255,6 +256,23 @@ function firewall_localhost_create_chains() {
         iptables "${protocol}" -A OUTPUT -o lo -j ACCEPT
  }
  
+function firewall_filter_rh0_headers() {
+       local protocol="${1}"
+       assert isset protocol
+
+       # Only IPv6.
+       [ "${protocol}" = "ipv6" ] || return ${EXIT_OK}
+
+       # Filter all packets that have RH0 headers
+       # http://www.ietf.org/rfc/rfc5095.txt
+       iptables_chain_create "${protocol}" FILTER_RH0
+       iptables "${protocol}" -A FILTER_RH0 -m rt --rt-type 0 -j DROP
+
+       iptables "${protocol}" -A INPUT   -j FILTER_RH0
+       iptables "${protocol}" -A FORWARD -j FILTER_RH0
+       iptables "${protocol}" -A OUTPUT  -j FILTER_RH0
+}
+
  function firewall_zone_create_chains() {
         local protocol="${1}"
         assert isset protocol
author	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 30 Apr 2013 17:06:43 +0000 (19:06 +0200)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 30 Apr 2013 17:06:43 +0000 (19:06 +0200)