## Define the available network classes.
m4_divert(42)m4_dnl
-defnetclass scary scary trusted mcast
-defnetclass untrusted scary untrusted trusted mcast
-defnetclass trusted scary untrusted trusted safe noloop mcast
-defnetclass safe trusted safe noloop mcast
-defnetclass noloop trusted safe mcast
+defnetclass scary scary trusted vpnnat mcast
+defnetclass untrusted scary untrusted trusted mcast
+defnetclass trusted scary untrusted trusted safe noloop vpnnat mcast
+defnetclass safe trusted safe noloop vpnnat mcast
+defnetclass noloop trusted safe mcast
+defnetclass vpnnat scary trusted safe mcast
defnetclass link
defnetclass mcast
via housebdry colobdry
defnet sgo noloop
addr !172.29.198.0/23
+ addr !10.165.27.0/24
addr 10.0.0.0/8
addr 172.16.0.0/12
addr 192.168.0.0/16
host orange 3 ::3:1
host haze 4 ::4:1
host groove 5 ::5:1
+ host spirit 9 ::9:1
defnet anycast trusted
addr 172.29.199.224/27 2001:ba8:1d9:0::/64
via dmz unsafe safe untrusted jump colo vpn
iface vpn-precision colohub
## Satellite networks.
-defnet binswood noloop
+defnet binswood vpnnat
addr 10.165.27.0/24
via colohub
defhost mango
hosttype router
iface eth0 binswood default
- iface vpn-precision colo
+ iface vpn-precision colo default
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
;;
esac
+m4_divert(82)m4_dnl
+###--------------------------------------------------------------------------
+### Check for source routing.
+
+clearchain check-srcroute
+
+run iptables -A check-srcroute -g forbidden \
+ -m ipv4options --any --flags lsrr,ssrr
+run ip6tables -A check-srcroute -g forbidden \
+ -m rt
+
+for c in INPUT FORWARD; do
+ for m in $from_scary $from_untrusted; do
+ run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
+ done
+done
+
m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.