From d52144713a3bd098bb1ef050277d8d502aaf06a8 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Tue, 31 May 2011 21:48:01 +0100 Subject: [PATCH] classify.m4: Dislike multicast addresses as a source address. I think they're not permitted. They're certainly hard to deal with if they are. --- classify.m4 | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/classify.m4 b/classify.m4 index c7e8d56..fcb008d 100644 --- a/classify.m4 +++ b/classify.m4 @@ -78,7 +78,9 @@ run iptables -t mangle -A in-classify -j RETURN \ ## Since packets with source and destination addresses both local will go ## over the loopback interface, I shouldn't see a packet from me over any ## other interface. Except that I will if I sent a broadcast or multicast. -## Allow the broadcasts, and remember not to trust them. +## Allow the broadcasts, and remember not to trust them. There are no +## broadcast addresses in IPv6 (only link-local multicast)m so we don't have +## to worry about that. run iptables -t mangle -A local-source -j RETURN \ -m addrtype --dst-type BROADCAST run iptables -t mangle -A local-source -j RETURN \ @@ -93,6 +95,15 @@ for addr in $host_6addrs; do -s $addr done +## It's not valid to have a multicast address as a packet source: multicast +## routing is done away from the source, so a multicast address would make +## this impossible to do. So discard these packets. Also discard class-E +## IPv4 addresses, since they aren't assigned. +run iptables -t mangle -A in-classify -g bad-source-address \ + -s 224.0.0.0/3 +run ip6tables -t mangle -A in-classify -g bad-source-address \ + -s ff00::/8 + m4_divert(41)m4_dnl ## Define the important networks. for pass in 1 2; do -- 2.11.0