[Ferm] [PATCH 1/2] Add support for netfilter module rpfilter

Thibault VINCENT tibal at reloaded.fr
Fri Feb 13 00:39:26 CET 2015 

This module is the preferred way to perform reverse path filtering for IPv6, and
a powerful alternative to checks controlled by sysctl.
---
 NEWS                         |  2 ++
 doc/ferm.pod                 | 13 +++++++++++++
 src/ferm                     |  1 +
 test/modules/rpfilter.ferm   |  6 ++++++
 test/modules/rpfilter.result |  4 ++++
 5 files changed, 26 insertions(+)
 create mode 100644 test/modules/rpfilter.ferm
 create mode 100644 test/modules/rpfilter.result

diff --git a/NEWS b/NEWS
index 909dbdf..0079763 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,8 @@
 v2.2.1 - not yet released
   - new function @defined
   - support netfilter modules:
+    * rpfilter
+  - support netfilter targets:
     * CHECKSUM
     * NFQUEUE: support queue-balance, queue-bypass, queue-cpu-fanout
   - recognize BROUTING as built-in chain (for ebtables)
diff --git a/doc/ferm.pod b/doc/ferm.pod
index 980476f..44b99ca 100644
--- a/doc/ferm.pod
+++ b/doc/ferm.pod
@@ -967,6 +967,19 @@ keyword.
 
 L<http://snowman.net/projects/ipt_recent/>
 
+=item B<rpfilter>
+
+Checks a reply to the packet would be sent via the same interface it arrived on.
+Packets from the loopback interface are always permitted.
+
+    mod rpfilter proto tcp loose RETURN;
+    mod rpfilter validmark accept-local RETURN;
+    mod rpfilter invert DROP;
+
+This netfilter module is the preferred way to perform reverse path filtering for
+IPv6, and a powerful alternative to checks controlled by sysctl
+I<net.ipv4.conf.*.rp_filter>.
+
 =item B<rt>
 
 Match the IPv6 routing header (ip6 only).
diff --git a/src/ferm b/src/ferm
index 7d74eb4..21b2de1 100755
--- a/src/ferm
+++ b/src/ferm
@@ -282,6 +282,7 @@ add_match_def 'quota', qw(quota=s);
 add_match_def 'random', qw(average);
 add_match_def 'realm', qw(realm!);
 add_match_def 'recent', qw(name=s !set*0 !remove*0 !rcheck*0 !update*0 !seconds !hitcount rttl*0 rsource*0 rdest*0);
+add_match_def 'rpfilter', qw(loose*0 validmark*0 accept-local*0 invert*0);
 add_match_def 'rt', qw(rt-type! rt-segsleft! rt-len! rt-0-res*0 rt-0-addrs=c rt-0-not-strict*0);
 add_match_def 'set', qw(!match-set=sc set:=match-set);
 add_match_def 'state', qw(!state=c);
diff --git a/test/modules/rpfilter.ferm b/test/modules/rpfilter.ferm
new file mode 100644
index 0000000..c3e9c6f
--- /dev/null
+++ b/test/modules/rpfilter.ferm
@@ -0,0 +1,6 @@
+table raw chain PREROUTING mod rpfilter {
+    saddr 10.0.0.0/8 validmark RETURN;
+    interface tun0 accept-local RETURN;
+    interface ppp0 loose RETURN;
+    invert DROP;
+}
diff --git a/test/modules/rpfilter.result b/test/modules/rpfilter.result
new file mode 100644
index 0000000..3a58a69
--- /dev/null
+++ b/test/modules/rpfilter.result
@@ -0,0 +1,4 @@
+iptables -t raw -A PREROUTING -m rpfilter -s 10.0.0.0/8 --validmark -j RETURN
+iptables -t raw -A PREROUTING -m rpfilter -i tun0 --accept-local -j RETURN
+iptables -t raw -A PREROUTING -m rpfilter -i ppp0 --loose -j RETURN
+iptables -t raw -A PREROUTING -m rpfilter --invert -j DROP
-- 
2.1.4

More information about the Ferm mailing list