From: Mark Wooding Date: Tue, 31 May 2011 20:48:01 +0000 (+0100) Subject: classify.m4: Dislike multicast addresses as a source address. X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/d52144713a3bd098bb1ef050277d8d502aaf06a8 classify.m4: Dislike multicast addresses as a source address. I think they're not permitted. They're certainly hard to deal with if they are. --- diff --git a/classify.m4 b/classify.m4 index c7e8d56..fcb008d 100644 --- a/classify.m4 +++ b/classify.m4 @@ -78,7 +78,9 @@ run iptables -t mangle -A in-classify -j RETURN \ ## Since packets with source and destination addresses both local will go ## over the loopback interface, I shouldn't see a packet from me over any ## other interface. Except that I will if I sent a broadcast or multicast. -## Allow the broadcasts, and remember not to trust them. +## Allow the broadcasts, and remember not to trust them. There are no +## broadcast addresses in IPv6 (only link-local multicast)m so we don't have +## to worry about that. run iptables -t mangle -A local-source -j RETURN \ -m addrtype --dst-type BROADCAST run iptables -t mangle -A local-source -j RETURN \ @@ -93,6 +95,15 @@ for addr in $host_6addrs; do -s $addr done +## It's not valid to have a multicast address as a packet source: multicast +## routing is done away from the source, so a multicast address would make +## this impossible to do. So discard these packets. Also discard class-E +## IPv4 addresses, since they aren't assigned. +run iptables -t mangle -A in-classify -g bad-source-address \ + -s 224.0.0.0/3 +run ip6tables -t mangle -A in-classify -g bad-source-address \ + -s ff00::/8 + m4_divert(41)m4_dnl ## Define the important networks. for pass in 1 2; do