From: Dave Taht <dave.taht@gmail.com>
To: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: [Cerowrt-devel] bcp38 via ipset
Date: Thu, 16 Jan 2014 00:37:28 -0500 [thread overview]
Message-ID: <CAA93jw5=7D13mWZ+8n8CuRH+MCMpOULm8pyK_u2sZGQTuhN=Dg@mail.gmail.com> (raw)
#!/bin/sh
# I am allergic to writing tons and tons of
iptables rules. Perhaps
# using ipsets instead would be more efficient?
# a (borken) start at trying it below:
ipset destroy egress-ipv4
ipset destroy egress-ipv6
ipset create bcp38-ipv4 hash:net family inet timeout 0 hashsize 32
ipset add bcp38-ipv4 127.0.0.0/8
ipset add bcp38-ipv4 192.168.0.0/16
ipset add bcp38-ipv4 10.0.0.0/8
ipset
add bcp38-ipv4 172.16.0.0/12
ipset add bcp38-ipv4 169.254.0.0/16
# But what
should bcp38 look like for ipv6?
ipset create bcp38-ipv6 hash:net family inet6 timeout 0 hashsize 32
ipset add bcp38-ipv6 2001:DB8::/32 # example ipv6 addr kill
ipset add bcp38-ipv6 fc00::/7 # reject ula
ipset add bcp38-ipv6
ff00::/8 # reject multicast
ipset add bcp38-ipv6 fec0::/10 # reject site-local
ipset add bcp38-ipv6 ::ffff/96 #
reject v6mapped
ipset create egress-ipv4
hash:net family inet timeout 0 hashsize 32 ipset
add egress-ipv4 127.0.0.0/8
ipset add egress-ipv4 192.168.0.0/16
ipset add
egress-ipv4 10.0.0.0/8
ipset add egress-ipv4 172.16.0.0/12
ipset add
egress-ipv4 169.254.0.0/16
# you could then dynamically add your external ip even
# in a double nat situation in a dhcpd callback
# Prohibit multicast except for a few well known services?
ipset create egress-ipv6 hash:net family inet6 timeout 0 hashsize 32
ipset add egress-ipv6 fc00::/7
ipset add egress-ipv6 ff00::/8
ipset add egress-ipv6 2001:DB8::/32 # Block IPv6 example address
ipset add egress-ipv6 fec0::/10 # reject site-local
ipset add egress-ipv6 ::ffff/96 # reject v6mapped
# FIXME punch hole for network discovery?
# FIXME punch a hole for dhcpv6
# punch a hole for babel
# And for all that above this attempt at rules don't work
# output? some other chain?
iptables -A forwarding_wan_rule -m set --match-set egress-ipv4 dst -j
REJECT --reject-with icmp-host-unreachable
ip6tables -A forwarding_wan_rule -m set --match-set egress-ipv6 dst -j
REJECT --reject-with addr-unreach
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
next reply other threads:[~2014-01-16 5:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-16 5:37 Dave Taht [this message]
[not found] ` <CAMybZqw+seLAJy8i=FVG3X+yZe8ROMfqtoak3vXvuDPY3dBkVw@mail.gmail.com>
[not found] ` <CAA93jw7tgikD=tXmHywRdy+cZW+Yi-RvsF51Xh6vG=q=WE2+mA@mail.gmail.com>
[not found] ` <CAMybZqwPS9td_t9dqsPHsodTqp5f_d+KCVMJJLYbmOix9FGQjg@mail.gmail.com>
2014-01-16 14:50 ` Dave Taht
2014-01-16 14:56 ` David Personette
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAA93jw5=7D13mWZ+8n8CuRH+MCMpOULm8pyK_u2sZGQTuhN=Dg@mail.gmail.com' \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox