From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 30 Apr 2013 17:06:43 +0000 (+0200)
Subject: firewall: ipv6: Discard all packets with rounting header of type zero.
X-Git-Tag: 007~142^2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7e23f3c988c74f9e0cdac0b3b8969860a1247bd;p=network.git

firewall: ipv6: Discard all packets with rounting header of type zero.

RFC 5095
---

diff --git a/functions.firewall b/functions.firewall
index 40cb9326..faeb5949 100644
--- a/functions.firewall
+++ b/functions.firewall
@@ -53,6 +53,7 @@ function firewall_start() {
 	iptables_init "${protocol}" "DROP"
 
 	# Add default chains.
+	firewall_filter_rh0_headers "${protocol}"
 	firewall_tcp_state_flags "${protocol}"
 	firewall_custom_chains "${protocol}"
 	firewall_connection_tracking "${protocol}"
@@ -255,6 +256,23 @@ function firewall_localhost_create_chains() {
 	iptables "${protocol}" -A OUTPUT -o lo -j ACCEPT
 }
 
+function firewall_filter_rh0_headers() {
+	local protocol="${1}"
+	assert isset protocol
+
+	# Only IPv6.
+	[ "${protocol}" = "ipv6" ] || return ${EXIT_OK}
+
+	# Filter all packets that have RH0 headers
+	# http://www.ietf.org/rfc/rfc5095.txt
+	iptables_chain_create "${protocol}" FILTER_RH0
+	iptables "${protocol}" -A FILTER_RH0 -m rt --rt-type 0 -j DROP
+
+	iptables "${protocol}" -A INPUT   -j FILTER_RH0
+	iptables "${protocol}" -A FORWARD -j FILTER_RH0
+	iptables "${protocol}" -A OUTPUT  -j FILTER_RH0
+}
+
 function firewall_zone_create_chains() {
 	local protocol="${1}"
 	assert isset protocol