local.m4: Fix whitespace oddity.

[firewall] / fender.m4

diff --git a/fender.m4 b/fender.m4
index e8e766a..5f9597d 100644 (file)
--- a/fender.m4
+++ b/fender.m4
@@ -33,6 +33,14 @@ allowservices inbound tcp \
 ## We have to provide NTP service.  The guests sync to our clock.
 ntpclient inbound $ntp_servers
 
+## Provide NTP service to untrusted clients.
+iptables -A inbound -p udp -j ACCEPT \
+       --source-port 123 --destination-port 123 \
+       -s 172.29.198.0/23
+ip6tables -A inbound -p udp -j ACCEPT \
+       --source-port 123 --destination-port 123 \
+       -s 2001:470:9740::/48
+
 ## Guaranteed black hole.  Put this at the very front of the chain.
 run iptables -I INPUT -d 212.13.198.78 -j DROP
 run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP
@@ -41,15 +49,17 @@ run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP
 run ebtables -F
 for i in log limit ip ip6; do run modprobe ebt-$i; done
 
-for c in bad-source-addr check-eth0; do
+for c in bad-source-addr check-eth0 bcp38 check-bcp38; do
   run ebtables -X $c >/dev/null 2>&1 || :
 done
 
-run ebtables -N bad-source-addr
-run ebtables -A bad-source-addr \
-       --limit 20/second --limit-burst 100 \
-       --log-prefix "fw: bad-source-addr(br) " --log-ip --log-ip6
-run ebtables -A bad-source-addr -j DROP
+for ch in bad-source-addr bcp38; do
+  run ebtables -N $ch
+  run ebtables -A $ch \
+         --limit 20/second --limit-burst 100 \
+         --log-prefix "fw: $ch(br)" --log-ip --log-ip6
+  run ebtables -A $ch -j DROP
+done
 
 run ebtables -N check-eth0
 run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28
@@ -65,5 +75,21 @@ run ebtables -A check-eth0 -j bad-source-addr -p ip
 run ebtables -A INPUT -j check-eth0 -i bond0
 run ebtables -A FORWARD -j check-eth0 -i bond0
 
+run ebtables -N check-bcp38
+run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 212.13.198.64/28
+run ebtables -A check-bcp38 -j bcp38 -p ip
+run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::/64
+run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48
+run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10
+run ebtables -A check-bcp38 -j bcp38 -p ip6
+run ebtables -A FORWARD -j check-bcp38 -o bond0
+
+## There's a hideous bug in Linux' 3.2.51-1's ebtables: for some reason it
+## misparses (at least) locally originated multicast packets, and tries to
+## extract IP header fields relative to the start of the Ethernet frame.  The
+## result is obviously a hideous mess.  Don't try to do BCP38 checking for
+## locally originated packets until this is fixed.
+##run ebtables -A OUTPUT -j check-bcp38 -o bond0
+
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------