From d4440ae146e5d9ecd1fa33b47661b4d8c7eb4641 Mon Sep 17 00:00:00 2001 From: Mike Wang Date: Wed, 30 Jul 2025 02:25:58 +0800 Subject: [PATCH] fix: Update iptables/nftables rules for IPv6 --- src/ipv6ipt.c | 48 ++++++------------------------------------------ src/ipv6nft.c | 20 ++++---------------- 2 files changed, 10 insertions(+), 58 deletions(-) diff --git a/src/ipv6ipt.c b/src/ipv6ipt.c index 9d406c4..7e6027f 100644 --- a/src/ipv6ipt.c +++ b/src/ipv6ipt.c @@ -111,52 +111,16 @@ int fs_ipt6_setup(void) "--icmp-type", "11", "-j", "DROP", NULL}, /* - exclude special IPv6 addresses (from source) + exclude non-GUA IPv6 addresses (from source) */ - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_S", "-s", "::/127", - "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_S", "-s", - "::ffff:0:0/96", "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_S", "-s", - "64:ff9b::/96", "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_S", "-s", - "64:ff9b:1::/48", "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_S", "-s", - "2002::/16", "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_S", "-s", - "fc00::/7", "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_S", "-s", - "fe80::/10", "-j", "RETURN", NULL}, + {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_S", "!", "-s", + "2000::/3", "-j", "RETURN", NULL}, /* - exclude special IPv6 addresses (to destination) + exclude non-GUA IPv6 addresses (to destination) */ - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_D", "-d", "::/127", - "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_D", "-d", - "::ffff:0:0/96", "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_D", "-d", - "64:ff9b::/96", "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_D", "-d", - "64:ff9b:1::/48", "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_D", "-d", - "2002::/16", "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_D", "-d", - "fc00::/7", "-j", "RETURN", NULL}, - - {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_D", "-d", - "fe80::/10", "-j", "RETURN", NULL}, + {"ip6tables", "-w", "-t", "mangle", "-A", "FAKESIP_D", "!", "-d", + "2000::/3", "-j", "RETURN", NULL}, /* exclude marked packets diff --git a/src/ipv6nft.c b/src/ipv6nft.c index 8ba0c31..04b8430 100644 --- a/src/ipv6nft.c +++ b/src/ipv6nft.c @@ -110,30 +110,18 @@ int fs_nft6_setup(void) */ " icmp type time-exceeded counter drop;\n" /* - exclude special IPv6 addresses (from source) + exclude non-GUA IPv6 addresses (from source) */ - " ip6 saddr ::/127 return;\n" - " ip6 saddr ::ffff:0:0/96 return;\n" - " ip6 saddr 64:ff9b::/96 return;\n" - " ip6 saddr 64:ff9b:1::/48 return;\n" - " ip6 saddr 2002::/16 return;\n" - " ip6 saddr fc00::/7 return;\n" - " ip6 saddr fe80::/10 return;\n" + " ip6 saddr != 2000::/3 return;\n" " }\n" "\n" " chain fs_postrouting {\n" " type filter hook postrouting priority mangle - 5;\n" " policy accept;\n" /* - exclude special IPv6 addresses (to destination) + exclude non-GUA IPv6 addresses (to destination) */ - " ip6 daddr ::/127 return;\n" - " ip6 daddr ::ffff:0:0/96 return;\n" - " ip6 daddr 64:ff9b::/96 return;\n" - " ip6 daddr 64:ff9b:1::/48 return;\n" - " ip6 daddr 2002::/16 return;\n" - " ip6 daddr fc00::/7 return;\n" - " ip6 daddr fe80::/10 return;\n" + " ip6 daddr != 2000::/3 return;\n" " }\n" "\n" " chain fs_rules {\n"