local.m4: Filter out source routing in the firewall.

author Mark Wooding <mdw@distorted.org.uk>

Mon, 2 Oct 2017 01:01:35 +0000 (02:01 +0100)

committer Mark Wooding <mdw@distorted.org.uk>

Mon, 2 Oct 2017 01:18:00 +0000 (02:18 +0100)
author Mark Wooding <mdw@distorted.org.uk>
Mon, 2 Oct 2017 01:01:35 +0000 (02:01 +0100)
committer Mark Wooding <mdw@distorted.org.uk>
Mon, 2 Oct 2017 01:18:00 +0000 (02:18 +0100)
diff --git a/local.m4 b/local.m4

index c16f94e..821cea9 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -354,6 +354,23 @@ case $forward in
      ;;
  esac
  
      ;;
  esac
  
+m4_divert(82)m4_dnl
+###--------------------------------------------------------------------------
+### Check for source routing.
+
+clearchain check-srcroute
+
+run iptables -A check-srcroute -g forbidden \
+    -m ipv4options --any --flags lsrr,ssrr
+run ip6tables -A check-srcroute -g forbidden \
+    -m rt
+
+for c in INPUT FORWARD; do
+  for m in $from_scary $from_untrusted; do
+    run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
+  done
+done
+
  m4_divert(84)m4_dnl
  ###--------------------------------------------------------------------------
  ### Locally-bound packet inspection.
  m4_divert(84)m4_dnl
  ###--------------------------------------------------------------------------
  ### Locally-bound packet inspection.
author	Mark Wooding <mdw@distorted.org.uk>
	Mon, 2 Oct 2017 01:01:35 +0000 (02:01 +0100)
committer	Mark Wooding <mdw@distorted.org.uk>
	Mon, 2 Oct 2017 01:18:00 +0000 (02:18 +0100)