run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
}
+bcp38_setup=:
+bcp38 () {
+ ipv=$1 ifname=$2; shift 2
+ ## Add rules for BCP38 egress filtering for IP version IPV (either 4 or 6).
+ ## IFNAME is the outgoing interface; the remaining arguments are network
+ ## prefixes.
+
+ ## Sort out which command we're using
+ case $ipv in
+ 4) ipt=iptables ;;
+ 6) ipt=ip6tables ;;
+ *) echo >&2 "Unknown IP version $ipv"; exit 1 ;;
+ esac
+
+ ## If we've not set up the error chain then do that.
+ case $bcp38_setup in
+ :)
+ errorchain bcp38 DROP
+ clearchain bcp38-check
+ ip46tables -A bcp38-check -g bcp38
+ ;;
+ esac
+
+ ## Stitch our egress filter into the outbound chains if we haven't done
+ ## that yet. Do this for both IP versions: if we're only ever given
+ ## IPv6 addresses for a particular interface then we assume that IPv4
+ ## packets aren't allowed on it at all.
+ case $bcp38_setup in
+ *:$ifname:*) ;;
+ *)
+ run ip46tables -A OUTPUT -j bcp38-check -o $ifname
+ case $forward in
+ 1) run ip46tables -A FORWARD -j bcp38-check -o $ifname ;;
+ esac
+ bcp38_setup=$bcp38_setup$ifname:
+ ;;
+ esac
+
+ ## Finally, add in our allowed networks.
+ for i in "$@"; do
+ run $ipt -I bcp38-check -j RETURN -s $i
+ done
+}
+
m4_divert(20)m4_dnl
###--------------------------------------------------------------------------
### Packet classification.
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
+## BCP38 filtering. Note that addresses here are seen before NAT is applied.
+bcp38 4 ppp0 62.49.204.144/28 172.29.198.0/23
+bcp38 6 t6-he \
+ 2001:470:1f08:1b98::2 2001:470:1f09:1b98::/64 \
+ 2001:470:9740::/48
+
## NAT for RFC1918 addresses.
for i in PREROUTING OUTPUT POSTROUTING; do
run iptables -t nat -P $i ACCEPT 2>/dev/null || :