[PATCH 2/3] example: add ipv6 filters examples

Aleksandr Alekseev <alexander.alekseev@xxxxxxxxxxxxx> · Thu, 22 Oct 2020 21:15:51 +0300

Signed-off-by: Aleksandr Alekseev <alexander.alekseev@xxxxxxxxxxxxx>
---
 src/nwfilter/xml/allow-dhcpv6-server.xml | 27 ++++++++++++++++++++++++
 src/nwfilter/xml/allow-dhcpv6.xml        | 24 +++++++++++++++++++++
 src/nwfilter/xml/allow-incoming-ipv6.xml |  3 +++
 src/nwfilter/xml/allow-ipv6.xml          |  3 +++
 src/nwfilter/xml/meson.build             |  6 ++++++
 src/nwfilter/xml/no-ipv6-multicast.xml   |  9 ++++++++
 src/nwfilter/xml/no-ipv6-spoofing.xml    | 15 +++++++++++++
 7 files changed, 87 insertions(+)
 create mode 100644 src/nwfilter/xml/allow-dhcpv6-server.xml
 create mode 100644 src/nwfilter/xml/allow-dhcpv6.xml
 create mode 100644 src/nwfilter/xml/allow-incoming-ipv6.xml
 create mode 100644 src/nwfilter/xml/allow-ipv6.xml
 create mode 100644 src/nwfilter/xml/no-ipv6-multicast.xml
 create mode 100644 src/nwfilter/xml/no-ipv6-spoofing.xml

diff --git a/src/nwfilter/xml/allow-dhcpv6-server.xml b/src/nwfilter/xml/allow-dhcpv6-server.xml
new file mode 100644
index 0000000000..214a95f412
--- /dev/null
+++ b/src/nwfilter/xml/allow-dhcpv6-server.xml
@@ -0,0 +1,27 @@
+<filter name='allow-dhcpv6-server' chain='ipv6'>
+
+    <!-- accept outgoing DHCP requests.
+         note, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast.
+         according to https://tools.ietf.org/html/rfc3315#section-14,
+         client sends messages to FF02::1:2 from link-local addresses -->
+    <rule action='accept' direction='out' priority='100'>
+        <ipv6 protocol='udp'
+              srcipaddr='FE80::'
+              srcipmask='10'
+              dstipaddr='FF02::1:2'
+              srcportstart='546'
+              dstportstart='547'/>
+    </rule>
+
+    <!-- accept incoming DHCP responses from a specific DHCP server
+         parameter DHPCSERVER needs to be passed from where this filter is
+         referenced -->
+    <rule action='accept' direction='in' priority='100' >
+        <ipv6 srcipaddr='$DHCPSERVER'
+              protocol='udp'
+              srcportstart='547'
+              dstportstart='546'/>
+    </rule>
+
+</filter>
diff --git a/src/nwfilter/xml/allow-dhcpv6.xml b/src/nwfilter/xml/allow-dhcpv6.xml
new file mode 100644
index 0000000000..f3512af153
--- /dev/null
+++ b/src/nwfilter/xml/allow-dhcpv6.xml
@@ -0,0 +1,24 @@
+<filter name='allow-dhcpv6' chain='ipv6'>
+
+    <!-- accept outgoing DHCP requests.
+         note, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast.
+         according to https://tools.ietf.org/html/rfc3315#section-14,
+         client sends messages to FF02::1:2 from link-local addresses -->
+    <rule action='accept' direction='out' priority='100'>
+        <ipv6 protocol='udp'
+              srcipaddr='FE80::'
+              srcipmask='10'
+              dstipaddr='FF02::1:2'
+              srcportstart='546'
+              dstportstart='547'/>
+    </rule>
+
+    <!-- accept incoming DHCP responses from any DHCP server -->
+    <rule action='accept' direction='in' priority='100' >
+        <ipv6 protocol='udp'
+              srcportstart='547'
+              dstportstart='546'/>
+    </rule>
+
+</filter>
diff --git a/src/nwfilter/xml/allow-incoming-ipv6.xml b/src/nwfilter/xml/allow-incoming-ipv6.xml
new file mode 100644
index 0000000000..93e1b18784
--- /dev/null
+++ b/src/nwfilter/xml/allow-incoming-ipv6.xml
@@ -0,0 +1,3 @@
+<filter name='allow-incoming-ipv6' chain='ipv6'>
+  <rule direction='in' action='accept'/>
+</filter>
diff --git a/src/nwfilter/xml/allow-ipv6.xml b/src/nwfilter/xml/allow-ipv6.xml
new file mode 100644
index 0000000000..8da5188cb9
--- /dev/null
+++ b/src/nwfilter/xml/allow-ipv6.xml
@@ -0,0 +1,3 @@
+<filter name='allow-ipv6' chain='ipv6'>
+  <rule direction='inout' action='accept'/>
+</filter>
diff --git a/src/nwfilter/xml/meson.build b/src/nwfilter/xml/meson.build
index 95af75bb15..0d96c54ebe 100644
--- a/src/nwfilter/xml/meson.build
+++ b/src/nwfilter/xml/meson.build
@@ -2,8 +2,12 @@ nwfilter_xml_files = [
   'allow-arp.xml',
   'allow-dhcp-server.xml',
   'allow-dhcp.xml',
+  'allow-dhcpv6-server.xml',
+  'allow-dhcpv6.xml',
   'allow-incoming-ipv4.xml',
+  'allow-incoming-ipv6.xml',
   'allow-ipv4.xml',
+  'allow-ipv6.xml',
   'clean-traffic-gateway.xml',
   'clean-traffic.xml',
   'no-arp-ip-spoofing.xml',
@@ -11,6 +15,8 @@ nwfilter_xml_files = [
   'no-arp-spoofing.xml',
   'no-ip-multicast.xml',
   'no-ip-spoofing.xml',
+  'no-ipv6-multicast.xml',
+  'no-ipv6-spoofing.xml',
   'no-mac-broadcast.xml',
   'no-mac-spoofing.xml',
   'no-other-l2-traffic.xml',
diff --git a/src/nwfilter/xml/no-ipv6-multicast.xml b/src/nwfilter/xml/no-ipv6-multicast.xml
new file mode 100644
index 0000000000..a736366374
--- /dev/null
+++ b/src/nwfilter/xml/no-ipv6-multicast.xml
@@ -0,0 +1,9 @@
+<filter name='no-ipv6-multicast' chain='ipv6'>
+
+    <!-- drop if destination IP address is in the ff00::/8 subnet -->
+    <rule action='drop' direction='out'>
+        <ipv6 dstipaddr='FF00::' dstipmask='8' />
+    </rule>
+
+    <!-- not doing anything with receiving side ... -->
+</filter>
diff --git a/src/nwfilter/xml/no-ipv6-spoofing.xml b/src/nwfilter/xml/no-ipv6-spoofing.xml
new file mode 100644
index 0000000000..a9ca690345
--- /dev/null
+++ b/src/nwfilter/xml/no-ipv6-spoofing.xml
@@ -0,0 +1,15 @@
+<filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-610'>
+  <!-- allow UDP sent from link-local addresses (DHCP);
+       filter more exact later -->
+  <rule action='return' direction='out' priority='100'>
+    <ipv6 srcipaddr='FE80::' srcipmask='10' protocol='udp'/>
+  </rule>
+
+  <!-- allow all known IP addresses -->
+  <rule direction='out' action='return' priority='500'>
+    <ipv6 srcipaddr='$IPV6'/>
+  </rule>
+
+  <!-- drop everything else -->
+  <rule direction='out' action='drop' priority='1000'/>
+</filter>
-- 
2.28.0.97.gdc04167d37







